rsa: Constant time decryption (!17) · Merge requests · redhat-crypto / libgcrypt / libgcrypt-mirror

Jakub Jelen requested to merge jjelen/libgcrypt-mirror:constant-time-mulm into master Apr 24, 2024

The current MPI code is not constant time, potentially leaking plaintext when the attacker can observe enough decipher operations using RSA PKCS#1.5. This is described as a Marvin Attack:

https://people.redhat.com/~hkario/marvin/
https://eprint.iacr.org/2023/1442

This change set consists of several steps:

Blinding removal is changed to use constant time MPI operation (multiplication and modulo). This is the first step that operates on the plaintext and that could leak some information
The conversion of the MPI to string using gcry_mpi_print() is not constant time and implicitly strips leading zeroes, technically leaking plaintext. The OAEP use of gcry_mpi_print() is slightly better, but still not constant time as the leading zeroes are dropped and then restored.
The last step, conversion of the plaintext to the S-expression leaks the message length too, which was changed to operate on fixed-length buffer.

Edited Jun 03, 2024 by Jakub Jelen

rsa: Constant time decryption

Merge request reports