Minerva attack on GnuTLS
Hello GnuTLS team,
My team and I have tested GnuTLS and we found that it is vulnerable to the Minerva attack. GnuTLS on its own is not vulnerable but when we are using the deterministic code we can see a step from 513 K-bit-size to 512 K-bit-size.
The test scenario is that we are signing random messages using the gnutls_privkey_sign_data2 API function using "GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE" flag. Then using the private key, we extract the K value from the signatures. After that, based on the bit size of the extracted nonce we compare full-sized nonces to smaller ones and use the statistical tests to compare the signature times.
For testing, we used gnutls-3.7.6-23.el9.x86_64
and gnutls-devel-3.7.6-23.el9.x86_64
In these results, we can clearly see that there is a "step" from nonce size of 513 bits to nonce size of 512 bits. The size of this side channel is around 34 ns. The sample tested has
43,190,069
observations.
Here you can find more informations about the Minerva attack.
For any questions, feel free to contact us.
Hubert Kario @tomato42 <hkario@redhat.com>
George Pantelakis <gpantela@redhat.com>