mbedtls/ChangeLog.d/ecdsa-random-leading-zeros.txt

Security
* Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
  An adversary who is capable of very precise timing measurements could
  learn partial information about the leading bits of the nonce used for the
  signature, allowing the recovery of the private key after observing a
  large number of signature operations. This completes a partial fix in
  Mbed TLS 2.20.0.
Fix non-constant-time comparison in mbedtls_mpi_random Calling mbedtls_mpi_cmp_int reveals the number of leading zero limbs to an adversary who is capable of very fine-grained timing measurements. This is very little information, but could be practical with secp521r1 (1/512 chance of the leading limb being 0) if the adversary can measure the precise timing of a large number of signature operations. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2021-04-13 21:09:10 +02:00			`Security`
			`* Fix a potential side channel vulnerability in ECDSA ephemeral key generation.`
			`An adversary who is capable of very precise timing measurements could`
			`learn partial information about the leading bits of the nonce used for the`
			`signature, allowing the recovery of the private key after observing a`
			`large number of signature operations. This completes a partial fix in`
			`Mbed TLS 2.20.0.`