Nonce@Once: A Single-Trace EM Side Channel Attack on Several Constant-Time Elliptic Curve Implementations in Mobile Platforms

We present the first side-channel attack on full-fledged smartphones that recovers the elliptic curve secret scalar from the electromagnetic signal that corresponds to a single scalar-by-point multiplication in current versions of Libgcrypt, OpenSSL, HACL* and curve25519-donna. To avoid leaking information via side channels, these implementations follow the recommendations of RFC 7748 and use a co...