Paper 2021/1003

SCA-secure ECC in software – mission impossible?

Lejla Batina, Łukasz Chmielewski, Björn Haase, Niels Samwel, and Peter Schwabe


This paper describes an ECC implementation computing the X25519 key-exchange protocol on the ARM Cortex-M4 microcontroller. This software comes with extensive mitigations against various side-channel and fault attacks and is, to our best knowledge, the first to claim affordable protection against multiple classes of attacks that are motivated by distinct real-world application scenarios. We also present the results of a comprehensive side-channel evaluation. We distinguish between X25519 with ephemeral keys and X25519 with static keys and show that the overhead to protect the two is about 36% and 239% respectively. While this might seem to be a high price to pay for security, we also show that even our (most protected) static implementation is as efficient as widely-deployed ECC cryptographic libraries, which offer much less protection.

Available format(s)
Publication info
Preprint. MINOR revision.
Elliptic Curve CryptographySide-Channel AnalysisFault Injection
Contact author(s)
lukchmiel @ gmail com
2021-09-27: last of 2 revisions
2021-08-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Lejla Batina and Łukasz Chmielewski and Björn Haase and Niels Samwel and Peter Schwabe},
      title = {SCA-secure ECC in software – mission impossible?},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1003},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.