Sliding Right into Disaster: Left-to-Right Sliding Windows Leak

  • Daniel J. BernsteinEmail author
  • Joachim BreitnerEmail author
  • Daniel GenkinEmail author
  • Leon Groot BruinderinkEmail author
  • Nadia HeningerEmail author
  • Tanja LangeEmail author
  • Christine van VredendaalEmail author
  • Yuval YaromEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10529)


It is well known that constant-time implementations of modular exponentiation cannot use sliding windows. However, software libraries such as Libgcrypt, used by GnuPG, continue to use sliding windows. It is widely believed that, even if the complete pattern of squarings and multiplications is observed through a side-channel attack, the number of exponent bits leaked is not sufficient to carry out a full key-recovery attack against RSA. Specifically, 4-bit sliding windows leak only 40% of the bits, and 5-bit sliding windows leak only 33% of the bits.

In this paper we demonstrate a complete break of RSA-1024 as implemented in Libgcrypt. Our attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion. We show for the first time that the direction of the encoding matters: the pattern of squarings and multiplications in left-to-right sliding windows leaks significantly more information about the exponent than right-to-left. We show how to extend the Heninger-Shacham algorithm for partial key reconstruction to make use of this information and obtain a very efficient full key recovery for RSA-1024. For RSA-2048 our attack is efficient for 13% of keys.


Left-to-right sliding windows Collision entropy Cache attack Flush+Reload RSA-CRT 



Yuval Yarom performed part of this work as a visiting scholar at the University of Pennsylvania. This work was supported by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005; by the Commission of the European Communities through the Horizon 2020 program under project number 645622 (PQCRYPTO) and project number 645421 (ECRYPT-CSA); by the National Science Foundation under grants 1314919, 1408734, 1505799, 1513671, 1319880 and 14–519. by a gift from Cisco; by an Endeavour Research Fellowship from the Australian Department of Education and Training; by the 2017-2018 Rothschild Postdoctoral Fellowship; by the Blavatnik Interdisciplinary Cyber Research Center (ICRC); by the Check Point Institute for Information Security; by the Israeli Centers of Research Excellence I-CORE program (center 4/11); by the Leona M. & Harry B. Helmsley Charitable Trust; by the Warren Center for Network and Data Sciences; by the financial assistance award 70NANB15H328 from the U.S. Department of Commerce, National Institute of Standards and Technology; and by the Defense Advanced Research Project Agency (DARPA) under Contract #FA8650-16-C-7622.

Permanent ID of this document: 8016c16382e6f3876aa03bef6e4db5ff. Date: 2017.06.26.


  1. 1.
  2. 2.
    GNU Privacy Guard.
  3. 3.
    Allan, T., Brumley, B.B., Falkner, K., van de Pol, J., Yarom, Y.: Amplifying side channels through performance degradation. In: 32nd Annual Computer Security Applications Conference (ACSAC), Los Angeles, CA, US, December 2016Google Scholar
  4. 4.
    Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh Aah.. Just a Little Bit”: a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44709-3_5 Google Scholar
  5. 5.
    Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, Gauss, and reload – a cache attack on the BLISS lattice-based signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323–345. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53140-2_16 Google Scholar
  6. 6.
    Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP message format. RFC 4880, November 2007Google Scholar
  7. 7.
    Doche, C.: Exponentiation. In: Handbook of Elliptic and Hyperelliptic Curve Cryptography., pp. 144–168. Chapman and Hall/CRC (2005). doi: 10.1201/9781420034981.pt2
  8. 8.
    Genkin, D., Shamir, A., Tromer, E.: RSA Key extraction via low-bandwidth acoustic cryptanalysis. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 444–461. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44371-2_25 CrossRefGoogle Scholar
  9. 9.
    Genkin, D., Pachmanov, L., Pipman, I., Tromer, E.: Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 207–228. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48324-4_11 CrossRefGoogle Scholar
  10. 10.
    Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: 24th USENIX Security Symposium, pp. 897–912, Washington, DC, US, August 2015Google Scholar
  11. 11.
    Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03356-8_1 CrossRefGoogle Scholar
  12. 12.
    İnci, M.S., Gulmezoglu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Cache attacks enable bulk key recovery on the cloud. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 368–388. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53140-2_18 Google Scholar
  13. 13.
    Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a Minute! A fast, Cross-VM Attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Cham (2014). doi: 10.1007/978-3-319-11379-1_15 Google Scholar
  14. 14.
    Joye, M., Yen, S.-M.: Optimal left-to-right binary signed-digit recoding. IEEE Trans. Comput. 49(7), 740–748 (2000). doi: 10.1109/12.863044 CrossRefzbMATHGoogle Scholar
  15. 15.
    Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE Symposium on Security and Privacy 2015. IEEE (2015)Google Scholar
  16. 16.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefzbMATHGoogle Scholar
  17. 17.
    Moder, J.J., Elmaghraby, S.E.: Handbook of Operations Research: Models and Applications, vol. 1. Van Nostrand Reinhold Co., New York (1978)zbMATHGoogle Scholar
  18. 18.
    Paterson, K.G., Polychroniadou, A., Sibborn, D.L.: A coding-theoretic approach to recovering noisy RSA keys. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 386–403. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34961-4_24 CrossRefGoogle Scholar
  19. 19.
    van de Pol, J., Smart, N.P., Yarom, Y.: Just a little bit more. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 3–21. Springer, Cham (2015). doi: 10.1007/978-3-319-16715-2_1 Google Scholar
  20. 20.
    Rényi, A.: On measures of entropy and information. In: Proceedings of the Fourth Berkeley Symposium on Mathematical Statistics and Probability, vol. 1, pp. 547–561, Berkeley (1961)Google Scholar
  21. 21.
    Ross, S.M.: Stochastic Processes. Probability and Mathematical Statistics. Wiley, New York (1983). ISBN 0-471-09942-2Google Scholar
  22. 22.
    Walter, C.D.: Longer keys may facilitate side channel attacks. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 42–57. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24654-1_4 CrossRefGoogle Scholar
  23. 23.
    Yarom, Y.: Mastik: a micro-architectural side-channel toolkit, September 2016.
  24. 24.
    Yarom, Y., Benger, N.: Recovering OpenSSL ECDSA nonces using the Flush+Reload cache side-channel attack. Cryptology ePrint Archive, Report 2014/140, February 2014Google Scholar
  25. 25.
    Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: 25th USENIX Security Symposium, pp. 719–732, San Diego, CA, US (2014)Google Scholar
  26. 26.
    Yarom, Y., Genkin, D., Heninger, N.: CacheBleed: a timing attack on openSSL constant time RSA. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 346–367. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53140-2_17 Google Scholar
  27. 27.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: 19th ACM Conference on Computer and Communications Security (CCS), pp. 305–316, Raleigh, NC, US, October 2012Google Scholar
  28. 28.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: Computer and Communications Security (CCS), Scottsdale, AZ, US (2014)Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Technische Universiteit EindhovenEindhovenNetherlands
  2. 2.University of Illinois at ChicagoChicagoUSA
  3. 3.University of PennsylvaniaPhiladelphiaUSA
  4. 4.University of MarylandCollege ParkUSA
  5. 5.University of Adelaide and Data61, CSIROAdelaideAustralia

Personalised recommendations