Squeezing a key through a carry bit - Filippo Valsorda

34c3 - Security - 12/27/2017

The Go implementation of the P-256 elliptic curve had a small bug due to a misplaced carry bit affecting less than 0.00000003% of field subtraction operations. We show how to build a full practical key recovery attack on top of it, capable of targeting JSON Web Encryption.