Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix ECDSA scalar multiplication leakage of bit-length. #870

Merged
merged 1 commit into from Jul 29, 2019
Merged
Changes from all commits
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

Fix ECDSA scalar multiplication leakage of bit-length.

This fixes the timing leakage of bit-length of nonces in ECDSA by essentially
fixing the bit-length, by using a nonce equivalent modulo the subgroup order.
  • Loading branch information
J08nY committed Jul 29, 2019
commit 80c59bcdb251043f27eef95a4f31224c4615c3ec
@@ -1604,10 +1604,10 @@ class CRYPTOPP_NO_VTABLE DL_SignerBase : public DL_SignatureSchemeBase<PK_Signer
if (rng.CanIncorporateEntropy())
rng.IncorporateEntropy(representative, representative.size());

const Integer& q = params.GetSubgroupOrder();
Integer k;
if (alg.IsDeterministic())
{
const Integer& q = params.GetSubgroupOrder();
const Integer& x = key.GetPrivateExponent();
const DeterministicSignatureAlgorithm& det = dynamic_cast<const DeterministicSignatureAlgorithm&>(alg);
k = det.GenerateRandom(x, q, e);
@@ -1617,8 +1617,13 @@ class CRYPTOPP_NO_VTABLE DL_SignerBase : public DL_SignatureSchemeBase<PK_Signer
k.Randomize(rng, 1, params.GetSubgroupOrder()-1);
}

Integer ks = k + q;
if (ks.BitCount() == q.BitCount()) {
ks += q;
}

Integer r, s;
r = params.ConvertElementToInteger(params.ExponentiateBase(k));
r = params.ConvertElementToInteger(params.ExponentiateBase(ks));
alg.Sign(params, key.GetPrivateExponent(), k, e, r, s);

/*
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.