Minerva: ECDSA key recovery from bit-length leakage

[Ján Jančár <445358 () mail muni cz>]

*Webpage*
=========

https://minerva.crocs.fi.muni.cz/


*Vulnerability*
===============

Minerva is a group of vulnerabilities in ECDSA/EdDSA implementations that allows
for practical recovery of the long-term private key.

We have found implementations which leak the bit-length of the scalar during
scalar multiplication on an elliptic curve. This leakage might seem minuscule as
the bit-length presents a very small amount of information present in the
scalar. However, in the case of ECDSA/EdDSA signature generation, the leaked
bit-length of the random nonce is enough for full recovery of the private key
used after observing a few hundreds to a few thousands of signatures on known
messages, due to the application of lattice techniques.

https://minerva.crocs.fi.muni.cz/


*Affected*
==========

 * Cards
   - Athena IDProtect
 * Libraries
   - libgcrypt upto 1.8.4, fixed in 1.8.5
   - wolfSSL/wolfCrypt upto 4.0.0, fixed in 4.1.0
   - MatrixSSL upto 4.2.1
   - SunEC/OpenJDK/OracleJDK upto JDK 12
   - Crypto++ upto 8.2.0
 * Other
   - https://github.com/indutny/elliptic/ 875 stars,2670640 uses
   - https://github.com/kjur/jsrsasign 2015 stars,7406 uses


*CVEs*
======

 * CVE-2019-15809 - Athena IDProtect cards
 * CVE-2019-13627 - libgcrypt
 * CVE-2019-13628 - wolfSSL/wolfCrypt
 * CVE-2019-13629 - MatrixSSL
 * CVE-2019-2894  - SunEC/OpenJDK/OracleJDK
 * CVE-2019-14318 - Crypto++

Attachment: signature.asc
Description: OpenPGP digital signature