Side-channel leakage in the mpz_powm_sec interface
Hubert Kario
hkario at redhat.com
Thu Aug 24 18:39:04 CEST 2023
Hello,
While I was researching CVE-2022-4304 in OpenSSL, I looked into some other
implementations (specifically to see if there are constant-time
implementations
of modular arithmetic).
I was able to confirm that the low-level functions, like the mpn_sec_powm()
function have no timing leakage with regards to operands or result
(exactly like section 8.1 of the manual[2] states).
I wasn't able to do the same with regards to the mpz_powm_sec() function.
Irrespective of how I initialised the used mpz_t objects, if the operands
don't have high order words set, the timing of the operation is different.
Thus I believe that if mpz_powm_sec() is used for RSA or Diffie-Hellman
it would be vulnerable to the Bleichenbacher or Raccoon attacks
respectively.
This is despite the documentation stating that "This function is intended
for
cryptographic purposes, where resilience to side-channel attacks is
desired."[1]
I think this is likely caused by exactly the same issue as in OpenSSL: that
the mpz objects are "clamped" or "normalised", where the methods make sure
that the returned object doesn't use more memory than necessary to store
the
number.
Did I miss the methods to ensure that the objects are not clamped, or
should
the mpz_powm_sec() interface be marked as _not_ secure for cryptographic
purposes?
1 -
https://gmplib.org/manual/Integer-Exponentiation#index-mpz_005fpowm_005fsec
2 - https://gmplib.org/manual/Low_002dlevel-Functions
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the gmp-bugs
mailing list