Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 2 Oct 2019 23:00:22 +0200
From: Ján Jančár <>
Subject: Minerva: ECDSA key recovery from bit-length leakage



Minerva is a group of vulnerabilities in ECDSA/EdDSA implementations that allows
for practical recovery of the long-term private key.

We have found implementations which leak the bit-length of the scalar during
scalar multiplication on an elliptic curve. This leakage might seem minuscule as
the bit-length presents a very small amount of information present in the
scalar. However, in the case of ECDSA/EdDSA signature generation, the leaked
bit-length of the random nonce is enough for full recovery of the private key
used after observing a few hundreds to a few thousands of signatures on known
messages, due to the application of lattice techniques.


 * Cards
   - Athena IDProtect
 * Libraries
   - libgcrypt upto 1.8.4, fixed in 1.8.5
   - wolfSSL/wolfCrypt upto 4.0.0, fixed in 4.1.0
   - MatrixSSL upto 4.2.1
   - SunEC/OpenJDK/OracleJDK upto JDK 12
   - Crypto++ upto 8.2.0
 * Other
   - 875 stars,2670640 uses
   - 2015 stars,7406 uses


 * CVE-2019-15809 - Athena IDProtect cards
 * CVE-2019-13627 - libgcrypt
 * CVE-2019-13628 - wolfSSL/wolfCrypt
 * CVE-2019-13629 - MatrixSSL
 * CVE-2019-2894  - SunEC/OpenJDK/OracleJDK
 * CVE-2019-14318 - Crypto++

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.