Side-channel vulnerability in libgcrypt - the Marvin Attack

Hubert Kario hkario at
Tue Mar 19 14:22:44 CET 2024

On Monday, 18 March 2024 13:41:42 CET, Clemens Lang wrote:
> Hi,
>> On 15. Mar 2024, at 07:42, NIIBE Yutaka <gniibe at> wrote:
>> My original question was... about quantitative evaluation and
>> possibility in real cases.  In other words, my interest is: if there are
>> any existing applications/services/products/etc., and the degree of how
>> likely are these problems and how much effort/time is needed to recover
>> RSA private key, in such a possible scenario.
> Just to give you a rough ball park of some numbers:
> I looked at the same vulnerability in Apple’s CoreCrypto 
> library. CVE-2024-23218 was assigned for that.
> When directly measuring the affected decrypt operation, 
> decryption of a cipher text without using the private key just 
> by making calls to the timing oracle needed about 24 hours. I 
> didn’t bother attempting to optimize this, and didn’t 
> parallelize it.
> Now, over the network, you’ll need more samples due to the 
> noise. Hubert can probably guesstimate how many more samples, 
> but let’s say you’d need 100 times of what you’d need locally. 
> You can assume the attacker isn’t halfway around the world, but 
> a few hops next to you in some Amazon or Google cloud 
> datacenter.

For same-switch attack vs loopback attack it's a factor of 4.
For more remote connections there's too much variables to provide
a good estimate.

Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

More information about the Gcrypt-devel mailing list