|Title||Side channel attack on ECDSA|
|Date||15th January 2020|
|Affects||All versions of Mbed TLS and Mbed Crypto|
|Impact||The private key is recoverable through side channels.|
|Credit||Alejandro Cabrera Aldaya and Billy Brumley|
Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
If the adversary is in the position to launch a cache attack, then they may be able to recover the private key.
Affected users should upgrade to one of the most recent versions of Mbed TLS, including 2.20.0, 2.16.4 or 2.7.13 or later. Similarly, affected users should upgrade to the most recent version of Mbed Crypto, including 3.0.1 or later.
edit: Earlier, this document falsely stated that Mbed Crypto 3.0.0 fixes this issue. This is not true, Mbed Crypto 3.0.1 is the earliest version with the fix. Users should upgrade to Mbed Crypto 3.0.1 or later.
There are no known workarounds.