Skip to content
Permalink
Browse files

Fix ECDSA scalar multiplication leakage of bit-length. (GH #870)

This fixes the timing leakage of bit-length of nonces in ECDSA by essentially
fixing the bit-length, by using a nonce equivalent modulo the subgroup order.
  • Loading branch information...
J08nY authored and noloader committed Jul 29, 2019
1 parent 739e579 commit f68f00f5601f6e4aade302e92cb1a7f8e85c250f
Showing with 7 additions and 2 deletions.
  1. +7 −2 pubkey.h
@@ -1604,10 +1604,10 @@ class CRYPTOPP_NO_VTABLE DL_SignerBase : public DL_SignatureSchemeBase<PK_Signer
if (rng.CanIncorporateEntropy())
rng.IncorporateEntropy(representative, representative.size());

const Integer& q = params.GetSubgroupOrder();
Integer k;
if (alg.IsDeterministic())
{
const Integer& q = params.GetSubgroupOrder();
const Integer& x = key.GetPrivateExponent();
const DeterministicSignatureAlgorithm& det = dynamic_cast<const DeterministicSignatureAlgorithm&>(alg);
k = det.GenerateRandom(x, q, e);
@@ -1617,8 +1617,13 @@ class CRYPTOPP_NO_VTABLE DL_SignerBase : public DL_SignatureSchemeBase<PK_Signer
k.Randomize(rng, 1, params.GetSubgroupOrder()-1);
}

Integer ks = k + q;
if (ks.BitCount() == q.BitCount()) {
ks += q;
}

Integer r, s;
r = params.ConvertElementToInteger(params.ExponentiateBase(k));
r = params.ConvertElementToInteger(params.ExponentiateBase(ks));
alg.Sign(params, key.GetPrivateExponent(), k, e, r, s);

/*

0 comments on commit f68f00f

Please sign in to comment.
You can’t perform that action at this time.