)]}'
{
  "commit": "848113a30b431c2fe21ae8de2a366b9b6146fb92",
  "tree": "19563dc8a37f2d4832e5cc7da203709799b4758b",
  "parents": [
    "c869c3ada944bc42a6c00e0433c9d523c4426cde"
  ],
  "author": {
    "name": "User",
    "email": "milosprv@gmail.com",
    "time": "Wed May 16 13:59:36 2018 -0400"
  },
  "committer": {
    "name": "Andy Polyakov",
    "email": "appro@openssl.org",
    "time": "Wed May 30 23:01:56 2018 +0200"
  },
  "message": "bn/bn_exp.c: mitigation of the One-and-Done side-channel attack.\n\nThe One\u0026Done attack, which is described in a paper to appear in the\nUSENIX Security\u002718 conference, uses EM emanations to recover the values\nof the bits that are obtained using BN_is_bit_set while constructing\nthe value of the window in BN_mod_exp_consttime. The EM signal changes\nslightly depending on the value of the bit, and since the lookup of a\nbit is surrounded by highly regular execution (constant-time Montgomery\nmultiplications) the attack is able to isolate the (very brief) part of\nthe signal that changes depending on the bit. Although the change is\nslight, the attack recovers it successfully \u003e90% of the time on several\nphones and IoT devices (all with ARM processors with clock rates around\n1GHz), so after only one RSA decryption more than 90% of the bits in\nd_p and d_q are recovered correctly, which enables rapid recovery of\nthe full RSA key using an algorithm (also described in the paper) that\nmodifies the branch-and-prune approach for a situation in which the\nexponents\u0027 bits are recovered with errors, i.e. where we do not know\na priori which bits are correctly recovered.\n\nThe mitigation for the attack is relatively simple - all the bits of\nthe window are obtained at once, along with other bits so that an\nentire integer\u0027s worth of bits are obtained together using masking and\nshifts, without unnecessarily considering each bit in isolation. This\nimproves performance somewhat (one call to bn_get_bits is faster than\nseveral calls to BN_is_bit_set), so the attacker now gets one signal\nsnippet per window (rather than one per bit) in which the signal is\naffected by all bits in the integer (rather than just the one bit).\n\nReviewed-by: Andy Polyakov \u003cappro@openssl.org\u003e\nReviewed-by: Rich Salz \u003crsalz@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/6276)\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "258e901d1454dd56a50f96f6f36f564516f77645",
      "old_mode": 33188,
      "old_path": "crypto/bn/bn_exp.c",
      "new_id": "2dbf5b42c1eae3c0e089cef3816b1d057ec9c947",
      "new_mode": 33188,
      "new_path": "crypto/bn/bn_exp.c"
    }
  ]
}
