From f68f00f5601f6e4aade302e92cb1a7f8e85c250f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A1n=20Jan=C4=8D=C3=A1r?=
 <J08nY@users.noreply.github.com>
Date: Mon, 29 Jul 2019 16:12:14 +0200
Subject: Fix ECDSA scalar multiplication leakage of bit-length. (GH #870)

This fixes the timing leakage of bit-length of nonces in ECDSA by essentially
fixing the bit-length, by using a nonce equivalent modulo the subgroup order.
---
 pubkey.h | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'pubkey.h')

diff --git a/pubkey.h b/pubkey.h
index 9af794be..41249448 100644
--- a/pubkey.h
+++ b/pubkey.h
@@ -1604,10 +1604,10 @@ public:
 		if (rng.CanIncorporateEntropy())
 			rng.IncorporateEntropy(representative, representative.size());
 
+		const Integer& q = params.GetSubgroupOrder();
 		Integer k;
 		if (alg.IsDeterministic())
 		{
-			const Integer& q = params.GetSubgroupOrder();
 			const Integer& x = key.GetPrivateExponent();
 			const DeterministicSignatureAlgorithm& det = dynamic_cast<const DeterministicSignatureAlgorithm&>(alg);
 			k = det.GenerateRandom(x, q, e);
@@ -1617,8 +1617,13 @@ public:
 			k.Randomize(rng, 1, params.GetSubgroupOrder()-1);
 		}
 
+		Integer ks = k + q;
+		if (ks.BitCount() == q.BitCount()) {
+			ks += q;
+		}
+
 		Integer r, s;
-		r = params.ConvertElementToInteger(params.ExponentiateBase(k));
+		r = params.ConvertElementToInteger(params.ExponentiateBase(ks));
 		alg.Sign(params, key.GetPrivateExponent(), k, e, r, s);
 
 		/*
-- 
cgit v1.2.1