Side-channel vulnerability in libgcrypt - the Marvin Attack
Hubert Kario
hkario at redhat.com
Fri Mar 22 13:24:41 CET 2024
On Friday, 22 March 2024 00:51:06 CET, NIIBE Yutaka wrote:
> Hello,
>
> And... yes, it's true that it's hard for programming to estimate
> worst-case running time, it's also hard to guarantee constant-time
> running time, in a given situation of programming environment and
> hardware architecture.
OpenSSL, BoringSSL (they have different code for RSA than OpenSSL now),
Go, NSS, GnuTLS, Apple corecrypto, and WolfSSL were all able to do this
operation in constant time in software, and those are only the ones
that I have directly seen the evidence that the fixes were successful,
so while it may not be simple, it's clearly not impossible.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
More information about the Gcrypt-devel
mailing list