Fix ECDSA scalar multiplication leakage of bit-length. (GH #870)

This fixes the timing leakage of bit-length of nonces in ECDSA by essentially fixing the bit-length, by using a nonce equivalent modulo the subgroup order.
author: Ján Jančár <J08nY@users.noreply.github.com> 2019-07-29 16:12:14 +0200
committer: Jeffrey Walton <noloader@gmail.com> 2019-07-29 10:12:14 -0400
commit: f68f00f5601f6e4aade302e92cb1a7f8e85c250f (patch)
tree: 89a429874b46beb0bc3bd7c4edbb9e61ebfc3988 /pubkey.h
parent: 739e5799e3d688ff06e900cd06e9c651903bbb1f (diff)
download: cryptopp-git-f68f00f5601f6e4aade302e92cb1a7f8e85c250f.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/pubkey.h b/pubkey.h
index 9af794be..41249448 100644
--- a/pubkey.h
+++ b/pubkey.h
@@ -1604,10 +1604,10 @@ public:
 		if (rng.CanIncorporateEntropy())
 			rng.IncorporateEntropy(representative, representative.size());
 
+		const Integer& q = params.GetSubgroupOrder();
 		Integer k;
 		if (alg.IsDeterministic())
 		{
-			const Integer& q = params.GetSubgroupOrder();
 			const Integer& x = key.GetPrivateExponent();
 			const DeterministicSignatureAlgorithm& det = dynamic_cast<const DeterministicSignatureAlgorithm&>(alg);
 			k = det.GenerateRandom(x, q, e);
@@ -1617,8 +1617,13 @@ public:
 			k.Randomize(rng, 1, params.GetSubgroupOrder()-1);
 		}
 
+		Integer ks = k + q;
+		if (ks.BitCount() == q.BitCount()) {
+			ks += q;
+		}
+
 		Integer r, s;
-		r = params.ConvertElementToInteger(params.ExponentiateBase(k));
+		r = params.ConvertElementToInteger(params.ExponentiateBase(ks));
 		alg.Sign(params, key.GetPrivateExponent(), k, e, r, s);
 
 		/*
author	Ján Jančár <J08nY@users.noreply.github.com>	2019-07-29 16:12:14 +0200
committer	Jeffrey Walton <noloader@gmail.com>	2019-07-29 10:12:14 -0400
commit	f68f00f5601f6e4aade302e92cb1a7f8e85c250f (patch)
tree	89a429874b46beb0bc3bd7c4edbb9e61ebfc3988 /pubkey.h
parent	739e5799e3d688ff06e900cd06e9c651903bbb1f (diff)
download	cryptopp-git-f68f00f5601f6e4aade302e92cb1a7f8e85c250f.tar.gz