Re: [TLS] Static DH timing attack

Peter Gutmann <> Fri, 11 September 2020 02:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6908D3A131D for <>; Thu, 10 Sep 2020 19:21:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XvI2ZoYlvgkB for <>; Thu, 10 Sep 2020 19:21:16 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 840F33A0A2A for <>; Thu, 10 Sep 2020 19:21:15 -0700 (PDT)
Received: from ( []) (Using TLS) by with ESMTP id au-mta-74-R36vQfudP4myiYYDcbCR8Q-1; Fri, 11 Sep 2020 12:21:11 +1000
X-MC-Unique: R36vQfudP4myiYYDcbCR8Q-1
Received: from (2603:1096:4:1::25) by (2603:10c6:220:4b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16; Fri, 11 Sep 2020 02:21:07 +0000
Received: from (2603:1096:4:1:cafe::dd) by (2603:1096:4:1::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.19 via Frontend Transport; Fri, 11 Sep 2020 02:21:06 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3370.16 via Frontend Transport; Fri, 11 Sep 2020 02:21:06 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 11 Sep 2020 14:21:04 +1200
Received: from ([]) by ([]) with mapi id 15.00.1497.006; Fri, 11 Sep 2020 14:21:04 +1200
From: Peter Gutmann <>
To: Achim Kraus <>, "" <>
Thread-Topic: [TLS] Static DH timing attack
Thread-Index: AQHWhrp+9EGmAKHnM0S2YOV3OYQKzqlhmhsF//998wCAAZtd6g==
Date: Fri, 11 Sep 2020 02:21:04 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 15d6b457-a26a-4731-c2f9-08d855f956c6
X-MS-TrafficTypeDiagnostic: ME2PR01MB5107:
X-Microsoft-Antispam-PRVS: <>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Ojr9y+hIsGizY/mb7Nf2Y4yyVbD7dL9ZSLZEeXCSyeIbtEd8DRAdu9SOEXfp+oVz9OwJ+L2UAAg63CBLw7/hPkLZ6/C1oouF0OmWGdp+DKYRRZdm57bVHTAfViKlslhvFBpRYXTs8dYPlmwt2aJeEEvJBIal0026R/VtGSuAl2oa0JJnzOiHdlz8nzJVyI/eIAJnJAdZojzloCe65MQkBrOlNV9dFOMfRO6Vmecq8D7MFAMJ8CNZnbA3+ZWFcbEvo58fFQe4xvzlSQoqddwNMvbR0dhQnpDorGq6VxTnwmx6b4LcqSVfqpdaFac1mirIWCqG3DR/m2MBhxOZN3oDEk42JRrUH+tbhpNIr5NrKsfTCLF+YUmjN7nxPs9uXmIlKLIflEq/O9AgNVscIurq0g==
X-Forefront-Antispam-Report: CIP:; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM;;; CAT:NONE; SFS:(4636009)(39860400002)(136003)(396003)(376002)(346002)(46966005)(316002)(786003)(4744005)(70586007)(336012)(70206006)(5660300002)(2906002)(82310400003)(478600001)(356005)(186003)(82740400003)(8936002)(7636003)(36906005)(47076004)(26005)(110136005)(2616005)(86362001)(8676002); DIR:OUT; SFP:1101;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Sep 2020 02:21:06.0711 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 15d6b457-a26a-4731-c2f9-08d855f956c6
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[]; Helo=[]
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME2PR01MB5107
Authentication-Results:; auth=pass smtp.auth=CAU17A13
X-Mimecast-Spam-Score: 0.002
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-NZ
Archived-At: <>
Subject: Re: [TLS] Static DH timing attack
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Sep 2020 02:21:18 -0000

Achim Kraus <> writes:

>Does using x25519 for ECDHE is significant less secure than using it with
>e.g. secp384r1?

The NIST curves AFAIK are never used that way, it's only done with 25519
(there was something about it in an OpenPGP draft, but I think GPG went
straight to 25519 and only used ECDSA for signatures).

What I'm specifically referring to is DH run sideways, as someone put it
during the X9.42 discussion, i.e. used in static-ephemeral mode to try and
make it work like it's RSA.

In all the code audits I've done of 25519 used that way, I've never seen it
used correctly.  Usually there isn't just one mistake made but many of them.
It's such an obvious problem that that and misuse of RC4-equivalent modes/
algorithms like GCM and ChaCha20 are the first things I look for in crypto