
AMD-SEV: Platform DH key recovery via invalid curve attack (CVE-2019-9836) - film42
https://seclists.org/fulldisclosure/2019/Jun/46
======
segfaultbuserr
Elliptic-curve cryptography is full of edge cases, math pitfalls, and side-
channel traps.

* Your implementation produces incorrect results for some rare curve points.

* Your implementation leaks secret data when the input isn't a curve point.

* Your implementation leaks secret data through branch timing.

* Your implementation leaks secret data through cache timing.

This is why NIST curves should be retired in favor of Curve25519 and other
newer designs that care actual secure implementation in mind, not only
theoretical security.

Curve25519 is designed to be more immune to implementation pitfalls. There is
no invalid curve attack in Curve25519, secret-dependent branching can be
avoided easily, etc.

[https://safecurves.cr.yp.to/](https://safecurves.cr.yp.to/)

