1281548 - [Meta] ECC side-channels in P384 and P521

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P2)

Description

[Watson Ladd]

We have many places where the ECC code leaks side channel information. This starts with none of the field arithmetic implementations being constant time. Furthermore, our multiplication algorithm doesn't have a regular pattern of operations or memory accesses, due to the use of wNAF. All of these are potentially exploitable, particularly in virtualized environments.

There are several approaches to fixing this:
-Introduce blinding and take the opportunity to fix some of the performance problems to avoid performance regressions: Modified Jacobian coordinates are not faster then Jacobian coordinates (13M vs 11M addition, both 8M doubling), and we can remove excessive inversions.
-Use specialized per-curve routines: for the very popular P256 curve such routines exist in C for 64 bit machines and assembler for recent Intel chips (see Bug 1073990, or the code in Go's cryptographic library), and for Curve25519 a plethora of possible implementations exist. Other curves will have to rely on blinding.

Comment 1

[Watson Ladd]

Further investigation shows that we are using ecp_256_32's constant time routines on all platforms, as changed in Bug 831006 for NIST P256 curve. The other 24 curves we enable are still vulnerable. Luckily P256 is almost ubiquitous in TLS connections, and Firefox only offers P384 and P521 in addition to P256.

Comment 2

[Franziskus Kiefer [:franziskus]]

We're investigating possible changes to implementations for P384 and P521. Keeping this as meta bug for changes to those two curves.

Comment 3

[Kevin Jacobs [:kjacobs]]

NSS 3.55 replaced both P384 and P521 with verifiable implementations from Fiat-Crypto and ECCKiila. I'm closing this bug as code in question is no longer used in NSS, and to the best of our knowledge no such issues are present in the new code.