diff options
author | Jack Lloyd <[email protected]> | 2018-12-16 20:33:49 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-12-18 10:20:35 -0500 |
commit | 70aa7303acfff9eefc24598c289a84db3579ebd1 (patch) | |
tree | 56506633ac75588c95c7b9277e61e13d932aa85e /src/lib/x509 | |
parent | c36f2885b896de0db5713b1bda0a294fc4060909 (diff) |
Avoid using unblinded Montgomery ladder during ECC key generation
As doing so means that information about the high bits of the scalar can leak
via timing since the loop bound depends on the length of the scalar. An attacker
who has such information can perform a more efficient brute force attack (using
Pollard's rho) than would be possible otherwise.
Found by Ján Jančár (@J08nY) using ECTester (https://github.com/crocs-muni/ECTester)
CVE-2018-20187
Diffstat (limited to 'src/lib/x509')
0 files changed, 0 insertions, 0 deletions