Minerva Attack

ecdsa is vulnerable to Minerva Attack. The vulnerability is due to timing discrepancies within the ecdsa.SigningKey.sign_digest function, which allows attackers to deduce the private key by analyzing the time taken to generate ECDSA signatures with varying nonce sizes. The maintainers will not provide a fix, and replied to the disclosure with > As stated in the security policy side-channel vulnerabilities are outside the scope of the project. Not because we don’t want side-channel secure implementation, but because the main goal of the project is to be pure python and implementing side-channel free code in pure python is impossible. > As such, we don’t plan to release a fix to this vulnerability.