Paper 2021/1003

SCA-secure ECC in software – mission impossible?

Lejla Batina, Radboud University Nijmegen
Łukasz Chmielewski, Masaryk University
Björn Haase, Endress+Hauser Liquid Analysis GmbH&Co. KG, Germany
Niels Samwel, Radboud University Nijmegen
Peter Schwabe, Max Planck Institute for Security and Privacy, Bochum

This paper describes an ECC implementation computing the X25519 keyexchange protocol on the Arm Cortex-M4 microcontroller. For providing protections against various side-channel and fault attacks we first review known attacks and countermeasures, then we provide software implementations that come with extensive mitigations, and finally we present a preliminary side-channel evaluation. To our best knowledge, this is the first public software claiming affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to our baseline unprotected implementation is about 37% and 243%, respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is at least as efficient as widely-deployed ECC cryptographic libraries, which offer much less protection.

Available format(s)
Publication info
Elliptic Curve Cryptography Side-Channel Analysis Fault Injection
Contact author(s)
lukchmiel @ gmail com
2022-11-04: last of 5 revisions
2021-08-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Lejla Batina and Łukasz Chmielewski and Björn Haase and Niels Samwel and Peter Schwabe},
      title = {{SCA}-secure {ECC} in software – mission impossible?},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1003},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.