[git] GCRYPT - branch, LIBGCRYPT-1-7-BRANCH, updated. libgcrypt-1.7.7-5-ga9f612d

by NIIBE Yutaka cvs at cvs.gnupg.org
Thu Jun 29 04:50:12 CEST 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, LIBGCRYPT-1-7-BRANCH has been updated
       via  a9f612def801c8145d551d995475e5d51a4c988c (commit)
      from  0e6788517eac6f508fa32ec5d5c1cada7fb980bc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a9f612def801c8145d551d995475e5d51a4c988c
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Thu Jun 29 11:48:44 2017 +0900

    rsa: Add exponent blinding.
    
    * cipher/rsa.c (secret): Blind secret D with randomized nonce R for
    mpi_powm computation.
    
    --
    
    Co-authored-by: Werner Koch <wk at gnupg.org>
    Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
    
    The paper describing attack: https://eprint.iacr.org/2017/627
    
    Sliding right into disaster: Left-to-right sliding windows leak
    by Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and
    Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and
    Christine van Vredendaal and Yuval Yarom
    
      It is well known that constant-time implementations of modular
      exponentiation cannot use sliding windows. However, software
      libraries such as Libgcrypt, used by GnuPG, continue to use sliding
      windows. It is widely believed that, even if the complete pattern of
      squarings and multiplications is observed through a side-channel
      attack, the number of exponent bits leaked is not sufficient to
      carry out a full key-recovery attack against RSA. Specifically,
      4-bit sliding windows leak only 40% of the bits, and 5-bit sliding
      windows leak only 33% of the bits.
    
      In this paper we demonstrate a complete break of RSA-1024 as
      implemented in Libgcrypt. Our attack makes essential use of the fact
      that Libgcrypt uses the left-to-right method for computing the
      sliding-window expansion. We show for the first time that the
      direction of the encoding matters: the pattern of squarings and
      multiplications in left-to-right sliding windows leaks significantly
      more information about exponent bits than for right-to-left. We show
      how to incorporate this additional information into the
      Heninger-Shacham algorithm for partial key reconstruction, and use
      it to obtain very efficient full key recovery for RSA-1024. We also
      provide strong evidence that the same attack works for RSA-2048 with
      only moderately more computation.
    
    Exponent blinding is a kind of workaround to add noise.  Signal (leak)
    is still there for non-constant-time implementation.
    
    (backported from master commit:
    8725c99ffa41778f382ca97233183bcd687bb0ce)

diff --git a/cipher/rsa.c b/cipher/rsa.c
index 2e13fd6..b894e5a 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1021,15 +1021,33 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
       gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
       gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
       gcry_mpi_t h  = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
-
-      /* m1 = c ^ (d mod (p-1)) mod p */
+      gcry_mpi_t D_blind = mpi_alloc_secure ( mpi_get_nlimbs(skey->n) + 1 );
+      gcry_mpi_t r;
+      unsigned int r_nbits;
+
+      r_nbits = mpi_get_nbits (skey->p) / 4;
+      if (r_nbits < 96)
+        r_nbits = 96;
+      r = mpi_alloc_secure ((r_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB);
+
+      /* d_blind = (d mod (p-1)) + (p-1) * r */
+      /* m1 = c ^ d_blind mod p */
+      _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
+      mpi_set_highbit (r, r_nbits - 1);
       mpi_sub_ui( h, skey->p, 1  );
-      mpi_fdiv_r( h, skey->d, h );
-      mpi_powm( m1, input, h, skey->p );
-      /* m2 = c ^ (d mod (q-1)) mod q */
+      mpi_mul ( D_blind, h, r );
+      mpi_fdiv_r ( h, skey->d, h );
+      mpi_add ( D_blind, D_blind, h );
+      mpi_powm( m1, input, D_blind, skey->p );
+      /* d_blind = (d mod (q-1)) + (q-1) * r */
+      /* m2 = c ^ d_blind mod q */
+      _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
+      mpi_set_highbit (r, r_nbits - 1);
       mpi_sub_ui( h, skey->q, 1  );
-      mpi_fdiv_r( h, skey->d, h );
-      mpi_powm( m2, input, h, skey->q );
+      mpi_mul ( D_blind, h, r );
+      mpi_fdiv_r ( h, skey->d, h );
+      mpi_add ( D_blind, D_blind, h );
+      mpi_powm( m2, input, D_blind, skey->q );
       /* h = u * ( m2 - m1 ) mod q */
       mpi_sub( h, m2, m1 );
       if ( mpi_has_sign ( h ) )

-----------------------------------------------------------------------

Summary of changes:
 cipher/rsa.c | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)


hooks/post-receive
-- 
The GNU crypto library
http://git.gnupg.org

More information about the Gnupg-commits mailing list