From 247c4d3c8876dbf52c6c100600ea9b9840cbc904 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 17 Oct 2019 10:18:51 +0100 Subject: [PATCH] ECDSA: Fix side channel vulnerability The blinding applied to the scalar before modular inversion is inadequate. Bignum is not constant time/constant trace, side channel attacks can retrieve the blinded value, factor it (it is smaller than RSA keys and not guaranteed to have only large prime factors). Then the key can be recovered by brute force. Reducing the blinded value makes factoring useless because the adversary can only recover pk*t+z*N instead of pk*t. --- library/ecdsa.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/ecdsa.c b/library/ecdsa.c index bda9262c9..5084b7c9d 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -363,6 +363,7 @@ modn: MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );