Side-channel vulnerability in libgcrypt - the Marvin Attack

Hubert Kario hkario at
Fri Mar 15 15:06:51 CET 2024

On Friday, 15 March 2024 13:37:16 CET, Stephan Verbücheln via Gcrypt-devel 
> Hello
> Thank you for your work and sharing your results!
> How about the use case of interactively authenticating to a server
> which is not controlled by oneself and therefore not fully trusted?
> Since the authentication is interactive, the timing could matter.
> For example, I am using my PGP key for SSH public-key authentication to
> and alike.

Authentication uses signing, not decryption.
While there are also timing attacks on signing operations (see Kocher 1996
as the first example of those), that's not what I have been testing or 
tried to

While presence of timing attacks in decryption is a red flag, it's not a
guarantee that timing attacks in signing are exploitable. Or vice versa.

An implementation vulnerable to Bleichenbacher may be completely immune to
Kocher-like attacks and an implementation vulnerable to Kocher can be
completely immune to Bleichenbacher like attacks.
(though do note that Kocher allows for private key extraction, so if a 
like attack is possible, decryption of captured ciphertexts is also 
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

More information about the Gcrypt-devel mailing list