Side-Channel Attack on ECDSA Nonce k Generation Reveals Significant Bias
CVE-2024-1544

4.1MEDIUM

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 27 August 2024

Summary

Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits.

Affected Version(s)

wolfSSL 0 <= 5.6.4

References

https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-st...

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 27, 2024
Vulnerability Reserved
Feb 15, 2024

Credit

Florian Sieck, Luca Wilke and Thomas Eisenbarth from Universität zu Lübeck