diff options
author | Ján Jančár <J08nY@users.noreply.github.com> | 2019-07-29 16:12:14 +0200 |
---|---|---|
committer | Jeffrey Walton <noloader@gmail.com> | 2019-07-29 10:12:14 -0400 |
commit | f68f00f5601f6e4aade302e92cb1a7f8e85c250f (patch) | |
tree | 89a429874b46beb0bc3bd7c4edbb9e61ebfc3988 /pubkey.h | |
parent | 739e5799e3d688ff06e900cd06e9c651903bbb1f (diff) | |
download | cryptopp-git-f68f00f5601f6e4aade302e92cb1a7f8e85c250f.tar.gz |
Fix ECDSA scalar multiplication leakage of bit-length. (GH #870)
This fixes the timing leakage of bit-length of nonces in ECDSA by essentially
fixing the bit-length, by using a nonce equivalent modulo the subgroup order.
Diffstat (limited to 'pubkey.h')
-rw-r--r-- | pubkey.h | 9 |
1 files changed, 7 insertions, 2 deletions
@@ -1604,10 +1604,10 @@ public: if (rng.CanIncorporateEntropy())
rng.IncorporateEntropy(representative, representative.size());
+ const Integer& q = params.GetSubgroupOrder();
Integer k;
if (alg.IsDeterministic())
{
- const Integer& q = params.GetSubgroupOrder();
const Integer& x = key.GetPrivateExponent();
const DeterministicSignatureAlgorithm& det = dynamic_cast<const DeterministicSignatureAlgorithm&>(alg);
k = det.GenerateRandom(x, q, e);
@@ -1617,8 +1617,13 @@ public: k.Randomize(rng, 1, params.GetSubgroupOrder()-1);
}
+ Integer ks = k + q;
+ if (ks.BitCount() == q.BitCount()) {
+ ks += q;
+ }
+
Integer r, s;
- r = params.ConvertElementToInteger(params.ExponentiateBase(k));
+ r = params.ConvertElementToInteger(params.ExponentiateBase(ks));
alg.Sign(params, key.GetPrivateExponent(), k, e, r, s);
/*
|