Skip to content

Commit

Permalink
ECDSA: Fix side channel vulnerability
Browse files Browse the repository at this point in the history 
The blinding applied to the scalar before modular inversion is
inadequate. Bignum is not constant time/constant trace, side channel
attacks can retrieve the blinded value, factor it (it is smaller than
RSA keys and not guaranteed to have only large prime factors). Then the
key can be recovered by brute force.

Reducing the blinded value makes factoring useless because the adversary
can only recover pk*t+z*N instead of pk*t.
  • Loading branch information
@yanesca
yanesca committed Oct 17, 2019
1 parent 150d577 commit 247c4d3
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions library/ecdsa.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,7 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
Expand Down

0 comments on commit 247c4d3

Please sign in to comment.