curve25519-dalek Constant-Time Operation Vulnerability on Elliptic Curve Scalars
Vulnerability
A vulnerability exists in the curve25519-dalek crate for Rust, specifically in versions prior to 4.1.3. The issue arises from a timing variability in the scalar subtraction operations of the library's elliptic curve implementation. This variability can be exploited to leak private keys and other sensitive information. The problem was introduced by LLVM optimizations that removed critical parts of the constant-time operation, allowing potential side-channel attacks on secret values.
Impact
The vulnerability could lead to timing attacks that exploit the scalar subtraction operations, causing timing variability that could be used to infer private key information.
Reproduction
The vulnerability can be reproduced by using the curve25519-dalek crate version prior to 4.1.3 and performing scalar subtraction operations with the 32-bit or 64-bit backends. This will trigger the timing variability issue, which can be observed by inspecting the generated assembly for branch instructions that conditionally bypass parts of the operation.
Remediation
Users can upgrade to curve25519-dalek version 4.1.3 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.