Side-channel vulnerability in libgcrypt - the Marvin Attack

NIIBE Yutaka gniibe at
Fri Mar 8 03:55:55 CET 2024


Hubert Kario wrote:
> I've tested libgcrypt against the Marvin Attack[1] and have verified it to
> be vulnerable.

Thank you for your report.

My understanding is that libgcrypt exposes timing differences against
chosen cipher texts by your timing analysis.

> Looking more closely at results, the side-channel from removal of blinding
> or conversion of the integer returned from the RSADP() operation[3] to a
> byte string is the most significant source of leakage.
> That means that all padding modes that use RSA will be vulnerable: raw RSA
> (RSASVE), PKCS#1v1.5, and RSA-OAEP.

The major possible causes of timing differences in libgcrypt are:

   an old fork of GNU MP Bignum library for multi precision integer

   S-expression handling for multi precision integer representation.

I'd agree that we need documentation update of libgcrypt to explain
possible timing differences of libgcrypt RSA implementation; Well,
libgcrypt users should know that RSA private key may be at risk when
implementing decryption network service if timing information is
available to remote side.

If possible, could you give us some concrete information how large the
side-channel to compose a possible attack?  It would be good for us to
know the impact of timing differences.

More information about the Gcrypt-devel mailing list