Mbed TLS -- Side channel attack on ECDSA

2019-10-25T00:00:00
ID B70B880F-5727-11EA-A2F3-001CC0382B2F
Type freebsd
Reporter FreeBSD
Modified 2019-10-25T00:00:00

Description

Janos Follath reports:

Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key.