Paper 2017/627

Sliding right into disaster: Left-to-right sliding windows leak

Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal, and Yuval Yarom

Abstract

It is well known that constant-time implementations of modular exponentiation cannot use sliding windows. However, software libraries such as Libgcrypt, used by GnuPG, continue to use sliding windows. It is widely believed that, even if the complete pattern of squarings and multiplications is observed through a side-channel attack, the number of exponent bits leaked is not sufficient to carry out a full key-recovery attack against RSA. Specifically, 4-bit sliding windows leak only 40\% of the bits, and 5-bit sliding windows leak only 33\% of the bits. In this paper we demonstrate a complete break of RSA-1024 as implemented in Libgcrypt. Our attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion. We show for the first time that the direction of the encoding matters: the pattern of squarings and multiplications in left-to-right sliding windows leaks significantly more information about exponent bits than for right-to-left. We show how to incorporate this additional information into the Heninger-Shacham algorithm for partial key reconstruction, and use it to obtain very efficient full key recovery for RSA-1024. We also provide strong evidence that the same attack works for RSA-2048 with only moderately more computation.

Metadata
Available format(s)
PDF
Publication info
Published by the IACR in CHES 2017
Keywords
left-to-right sliding windowscache attackFlush+ReloadRSA-CRT
Contact author(s)
authorcontact-slidingright @ box cr yp to
History
2017-06-28: revised
2017-06-27: received
See all versions
Short URL
https://ia.cr/2017/627
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/627,
      author = {Daniel J.  Bernstein and Joachim Breitner and Daniel Genkin and Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and Christine van Vredendaal and Yuval Yarom},
      title = {Sliding right into disaster: Left-to-right sliding windows leak},
      howpublished = {Cryptology ePrint Archive, Paper 2017/627},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/627}},
      url = {https://eprint.iacr.org/2017/627}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.