Report
Hello python-ecdsa team,
My team and I have tested python-ecdsa and we found that it is vulnerable to the Minerva attack.
The test scenario is that we are signing random messages using the ecdsa.SigningKey.sign_digest()
API function. Then using the private key, we extract the K value from the signatures. After that, based on the bit size of the extracted nonce we compare full-sized nonces to smaller ones and use the statistical tests to compare the signature times.
For testing, we used ecdsa package version 0.18.0.
In these results, we can clearly see that there is a leak. There is a clear dependency between the bit size of K and the size of the side channel. Each k size takes less and less to be processed. The sample tested has 719,882 observations.
Here you can find more information about the Minerva attack.
For any questions, feel free to contact us.
Hubert Kario @tomato42 <hkario@redhat.com>
George Pantelakis <gpantela@redhat.com>
Reply/Mitigation
Thanks for the report, unfortunately that's the expected result—our scalar multiplication is not constant time.
That means both ECDSA signatures, key generation, and ECDH operations are affected.
ECDSA signature verification is unaffected.
As stated in the security policy side-channel vulnerabilities are outside the scope of the project. Not because we don't want side-channel secure implementation, but because the main goal of the project is to be pure python and implementing side-channel free code in pure python is impossible.
As such, we don't plan to release a fix to this vulnerability.
Report
Hello python-ecdsa team,
My team and I have tested python-ecdsa and we found that it is vulnerable to the Minerva attack.
The test scenario is that we are signing random messages using the
ecdsa.SigningKey.sign_digest()
API function. Then using the private key, we extract the K value from the signatures. After that, based on the bit size of the extracted nonce we compare full-sized nonces to smaller ones and use the statistical tests to compare the signature times.For testing, we used ecdsa package version 0.18.0.
In these results, we can clearly see that there is a leak. There is a clear dependency between the bit size of K and the size of the side channel. Each k size takes less and less to be processed. The sample tested has 719,882 observations.
Here you can find more information about the Minerva attack.
For any questions, feel free to contact us.
Hubert Kario @tomato42 <hkario@redhat.com>
George Pantelakis <gpantela@redhat.com>
Reply/Mitigation
Thanks for the report, unfortunately that's the expected result—our scalar multiplication is not constant time.
That means both ECDSA signatures, key generation, and ECDH operations are affected.
ECDSA signature verification is unaffected.
As stated in the security policy side-channel vulnerabilities are outside the scope of the project. Not because we don't want side-channel secure implementation, but because the main goal of the project is to be pure python and implementing side-channel free code in pure python is impossible.
As such, we don't plan to release a fix to this vulnerability.