Generating the ECDSA nonce k samples a random number r and then
truncates this randomness with a modular reduction mod n where n is the
order of the elliptic curve. Meaning k = r mod n. The division used
during the reduction estimates a factor q_e by dividing the upper two
digits (a digit having e.g. a size of 8 byte) of r by the upper digit of
n and then decrements q_e in a loop until it has the correct size.
Observing the number of times q_e is decremented through a control-flow
revealing side-channel reveals a bias in the most significant bits of
k. Depending on the curve this is either a negligible bias or a
significant bias large enough to reconstruct k with lattice reduction
methods. For SECP160R1, e.g., we find a bias of 15 bits.
Metrics
Affected Vendors & Products
References
History
Tue, 27 Aug 2024 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 27 Aug 2024 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits. | |
Title | ECDSA nonce bias caused by truncation | |
Weaknesses | CWE-203 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: wolfSSL
Published: 2024-08-27T18:44:52.770Z
Updated: 2024-08-27T19:14:35.190Z
Reserved: 2024-02-15T17:38:16.603Z
Link: CVE-2024-1544
Vulnrichment
Updated: 2024-08-27T19:14:28.355Z
NVD
Status : Awaiting Analysis
Published: 2024-08-27T19:15:16.547
Modified: 2024-08-28T12:57:39.090
Link: CVE-2024-1544
Redhat
No data.