Side-channel vulnerability in libgcrypt - the Marvin Attack

Hubert Kario hkario at
Tue Mar 19 14:28:02 CET 2024

On Saturday, 16 March 2024 00:43:58 CET, NIIBE Yutaka wrote:
> Hubert Kario <hkario at> wrote:
>> Actually no. If the time slots are consistent (say, the USB device returns
>> the message only on the second, on the dot), then the attacker 
>> can tune the
>> time when it _starts_ the operation so that it end exactly at the second.
>> Then quicker operations will be returned earlier, while slower will be
>> returned a second later.
> This is not the communication of USB bus.  The request from host is also
> time-slotted.  Your claim above would be only valid if the attacker can
> start the request of the crypto operation from another channel where
> timing can be accurately controlled, and the responce is on USB bus (for
> some reason).

If the communication is like that in both directions, then yes, it's more
problematic. But as long as there is a variability in the responses, the
statistical tests I'm using will still work.

Like, if the operation normally takes between 1.8 and 2.2 s, and the
communication can happen every 0.1 s, then the attack is still possible.

It only won't be possible if the inherent variability is completely hidden
by the quantization, like if in the above example the communication could
happen only every 10 s.

Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

More information about the Gcrypt-devel mailing list