International Association for Cryptologic Research

International Association
for Cryptologic Research


Sliding Right into Disaster: Left-to-Right Sliding Windows Leak

Daniel J. Bernstein
Joachim Breitner
Daniel Genkin
Leon Groot Bruinderink
Nadia Heninger
Tanja Lange
Christine van Vredendaal
Yuval Yarom
DOI: 10.1007/978-3-319-66787-4_27
Search ePrint
Search Google
Conference: CHES 2017
Abstract: It is well known that constant-time implementations of modular exponentiation cannot use sliding windows. However, software libraries such as Libgcrypt, used by GnuPG, continue to use sliding windows. It is widely believed that, even if the complete pattern of squarings and multiplications is observed through a side-channel attack, the number of exponent bits leaked is not sufficient to carry out a full key-recovery attack against RSA. Specifically, 4-bit sliding windows leak only 40% of the bits, and 5-bit sliding windows leak only 33% of the bits.In this paper we demonstrate a complete break of RSA-1024 as implemented in Libgcrypt. Our attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion. We show for the first time that the direction of the encoding matters: the pattern of squarings and multiplications in left-to-right sliding windows leaks significantly more information about the exponent than right-to-left. We show how to extend the Heninger-Shacham algorithm for partial key reconstruction to make use of this information and obtain a very efficient full key recovery for RSA-1024. For RSA-2048 our attack is efficient for 13% of keys.
  title={Sliding Right into Disaster: Left-to-Right Sliding Windows Leak},
  booktitle={Cryptographic Hardware and Embedded Systems – CHES 2017},
  series={Lecture Notes in Computer Science},
  author={Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and Christine van Vredendaal and Yuval Yarom},