* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size. Move
the assignment to base_u into the loop. Copy content refered by RP to
BASE_U except the last of the loop.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(backport commit of libgcrypt master:
78130828e9a140a9de4dafadbc844dbb64cb709a)
* include/mpi.h, mpi/mpiutils.c (mpi_set_cond): New.
* mpi/mpi-pow.c (SIZE_PRECOMP): Rename from SIZE_B_2I3.
(mpi_powm): Access all data in the table and use mpi_set_cond.
--
Access to the precomputed table was indexed by a portion of EXPO,
which could be mounted by a side channel attack. This change fixes
this particular data-dependent access pattern.
* mpi/mpi-pow.c (USE_ALGORITHM_SIMPLE_EXPONENTIATION): New.
(mul_mod) [!USE_ALGORITHM_SIMPLE_EXPONENTIATION]: New.
(mpi_powm) [!USE_ALGORITHM_SIMPLE_EXPONENTIATION]: New implementation
of left-to-right k-ary exponentiation.
--
This is a backport from Libgcrypt commit
45aa6131e93fac89d46733b3436d960f35fb99b2
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
For the Yarom/Falkner flush+reload cache side-channel attack, we
changed the code so that it always calls the multiplication
routine (even if we can skip it to get result). This results some
performance regression.
This change is for recovering performance with efficient
algorithm.
Signed-off-by: Werner Koch <wk@gnupg.org>
* mpi/mpi-pow.c (mpi_powm): Always perform the mpi_mul for exponents
hold in secure memory.
--
The attack is described in a paper to be pusblished at eprint.iacr.org:
Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.
Flush+Reload is a cache side-channel attack that monitors access to
data in shared pages. In this paper we demonstrate how to use the
attack to extract private encryption keys from GnuPG. The high
resolution and low noise of the Flush+Reload attack enables a spy
program to recover over 98% of the bits of the private key in a
single decryption or signing round. Unlike previous attacks, the
attack targets the last level L3 cache. Consequently, the spy
program and the victim do not need to share the execution core of
the CPU. The attack is not limited to a traditional OS and can be
used in a virtualised environment, where it can attack programs
executing in a different VM.
Signed-off-by: Werner Koch <wk@gnupg.org>
