Side-channel vulnerability in libgcrypt - the Marvin Attack

NIIBE Yutaka gniibe at
Sat Mar 16 00:43:58 CET 2024

Hubert Kario <hkario at> wrote:
> Actually no. If the time slots are consistent (say, the USB device returns
> the message only on the second, on the dot), then the attacker can tune the
> time when it _starts_ the operation so that it end exactly at the second.
> Then quicker operations will be returned earlier, while slower will be
> returned a second later.

This is not the communication of USB bus.  The request from host is also
time-slotted.  Your claim above would be only valid if the attacker can
start the request of the crypto operation from another channel where
timing can be accurately controlled, and the responce is on USB bus (for
some reason).

I don't think this is a general scenario in the real world.

More information about the Gcrypt-devel mailing list