CVE-2024-1544 ECDSA nonce bias caused by truncation

2024-08-2718:44:52

CWE-203

wolfSSL

www.cve.org

ecdsa

nonce bias

truncation

cve-2024-1544

elliptic curve

modular reduction

side-channel

lattice reduction

CVSS3

4.1

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

9.5%

JSON

Generating the ECDSA nonce k samples a random number r and then
truncates this randomness with a modular reduction mod n where n is the
order of the elliptic curve. Meaning k = r mod n. The division used
during the reduction estimates a factor q_e by dividing the upper two
digits (a digit having e.g. a size of 8 byte) of r by the upper digit of
n and then decrements q_e in a loop until it has the correct size.
Observing the number of times q_e is decremented through a control-flow
revealing side-channel reveals a bias in the most significant bits of
k. Depending on the curve this is either a negligible bias or a
significant bias large enough to reconstruct k with lattice reduction
methods. For SECP160R1, e.g., we find a bias of 15 bits.

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "product": "wolfSSL",
    "programFiles": [
      "wolfcrypt/src/ecc.c"
    ],
    "vendor": "wolfSSL",
    "versions": [
      {
        "lessThanOrEqual": "5.6.4",
        "status": "affected",
        "version": "0",
        "versionType": "Release"
      }
    ]
  }
]