Skip to content


Fix ECDSA scalar multiplication leakage of bit-length. (GH #870)
Browse files Browse the repository at this point in the history
This fixes the timing leakage of bit-length of nonces in ECDSA by essentially
fixing the bit-length, by using a nonce equivalent modulo the subgroup order.
  • Loading branch information
J08nY authored and noloader committed Jul 29, 2019
1 parent 739e579 commit f68f00f
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions pubkey.h
Original file line number Diff line number Diff line change
Expand Up @@ -1604,10 +1604,10 @@ class CRYPTOPP_NO_VTABLE DL_SignerBase : public DL_SignatureSchemeBase<PK_Signer
if (rng.CanIncorporateEntropy())
rng.IncorporateEntropy(representative, representative.size());

const Integer& q = params.GetSubgroupOrder();
Integer k;
if (alg.IsDeterministic())
const Integer& q = params.GetSubgroupOrder();
const Integer& x = key.GetPrivateExponent();
const DeterministicSignatureAlgorithm& det = dynamic_cast<const DeterministicSignatureAlgorithm&>(alg);
k = det.GenerateRandom(x, q, e);
Expand All @@ -1617,8 +1617,13 @@ class CRYPTOPP_NO_VTABLE DL_SignerBase : public DL_SignatureSchemeBase<PK_Signer
k.Randomize(rng, 1, params.GetSubgroupOrder()-1);

Integer ks = k + q;
if (ks.BitCount() == q.BitCount()) {
ks += q;

Integer r, s;
r = params.ConvertElementToInteger(params.ExponentiateBase(k));
r = params.ConvertElementToInteger(params.ExponentiateBase(ks));
alg.Sign(params, key.GetPrivateExponent(), k, e, r, s);

Expand Down

0 comments on commit f68f00f

Please sign in to comment.