arne
/
cryptopp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix ECDSA scalar multiplication leakage of bit-length. (GH #870) 

This fixes the timing leakage of bit-length of nonces in ECDSA by essentially
fixing the bit-length, by using a nonce equivalent modulo the subgroup order.
pull/871/head
Ján Jančár 2019-07-29 16:12:14 +02:00 committed by Jeffrey Walton
parent 739e5799e3
commit f68f00f560
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pubkey.h
View File

@ -1604,10 +1604,10 @@ public:
if (rng.CanIncorporateEntropy()) if (rng.CanIncorporateEntropy())
rng.IncorporateEntropy(representative, representative.size()); rng.IncorporateEntropy(representative, representative.size());
const Integer& q = params.GetSubgroupOrder();
Integer k; Integer k;
if (alg.IsDeterministic()) if (alg.IsDeterministic())
{ {
const Integer& q = params.GetSubgroupOrder();
const Integer& x = key.GetPrivateExponent(); const Integer& x = key.GetPrivateExponent();
const DeterministicSignatureAlgorithm& det = dynamic_cast<const DeterministicSignatureAlgorithm&>(alg); const DeterministicSignatureAlgorithm& det = dynamic_cast<const DeterministicSignatureAlgorithm&>(alg);
k = det.GenerateRandom(x, q, e); k = det.GenerateRandom(x, q, e);
@ -1617,8 +1617,13 @@ public:
k.Randomize(rng, 1, params.GetSubgroupOrder()-1); k.Randomize(rng, 1, params.GetSubgroupOrder()-1);
} }
Integer ks = k + q;
if (ks.BitCount() == q.BitCount()) {
ks += q;
}
Integer r, s; Integer r, s;
r = params.ConvertElementToInteger(params.ExponentiateBase(k)); r = params.ConvertElementToInteger(params.ExponentiateBase(ks));
alg.Sign(params, key.GetPrivateExponent(), k, e, r, s); alg.Sign(params, key.GetPrivateExponent(), k, e, r, s);
/* /*