Chaos Communication Congress

Squeezing a key through a carry bit (34x15)

: 27, 2017

Speaker: Filippo Valsorda The Go implementation of the P-256 elliptic curve had a small bug due to a misplaced carry bit affecting less than 0.00000003% of field subtraction operations. We show how to build a full practical key recovery attack on top of it, capable of targeting JSON Web Encryption.