Nonce@Once: A single-trace EM side channel attack on several constant-time elliptic curve implementations in mobile platforms

Abstract

We present the first side-channel attack on fullfledged smartphones that recovers the elliptic curve secret scalar from the electromagnetic signal that corresponds to a single scalar-by-point multiplication in current versions of Libgcrypt, OpenSSL, HACL* and curve25519-donna. To avoid leaking information via side channels, these implementations follow the recommendations of RFC 7748 and use a constant-time conditional swap operation. Our attack targets signal differences created by systematic changes in operand values during this conditional swap operation. We deploy the attack, using low-cost equipment (<$800), against two Android-based mobile phones and against a Linux-based IoT development board. We repeat the attack 100 times, each time with a different scalar, on each device. In all of the implementations considered in this work, our attack successfully recovers the full secret key within seconds. To mitigate the attack we suggest randomizing the exclusive-or mask in the conditional swap operation. We show that this countermeasure is effective in preventing this and similar attacks.