Clarifications on RSA timing attack CVE-2022-4304

Hubert Kario hkario at
Mon Mar 13 12:12:17 UTC 2023

On Saturday, 11 March 2023 04:10:58 CET, Girish Yerra wrote:
> Hi All,
> I am not sure if this is the right forum to discuss the aspects 
> of the CVE. Feel free to close this and point me to the right 
> forum.
> I am looking for some more specific details on the attack 
> description. I am mainly looking for some of the details and 
> clarifications.
> 1. For timing attacks the popular counter measure is to apply 
> blinding which makes it timing resistant. Does this 
> countermeasure fail in this case?

While blinding protects against a leaky mod-exp implementation, unblinding
still has to be done in constant time manner. That wasn't done.
See some of the discussions in

> 2. What is the order of the trials that an attacker requires to 
> mount this attack ?
> Please share any reference paper giving more details of this attack.

We're still working on a paper.

Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

More information about the openssl-users mailing list