From deba2585ee1c59659c4c631adb3bd6fd262b44d6 Mon Sep 17 00:00:00 2001
From: J08nY <johny@neuromancer.sk>
Date: Sat, 5 Oct 2019 17:38:45 +0200
Subject: [PATCH] ecdsa: Apply nonce bit-length mitigation to stop timing
 leakage.

 - See https://minerva.crocs.fi.muni.cz
---
 lib/elliptic/ec/index.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/elliptic/ec/index.js b/lib/elliptic/ec/index.js
index 0f1d8ce..d93cd54 100644
--- a/lib/elliptic/ec/index.js
+++ b/lib/elliptic/ec/index.js
@@ -125,7 +125,17 @@ EC.prototype.sign = function sign(msg, key, enc, options) {
     if (k.cmpn(1) <= 0 || k.cmp(ns1) >= 0)
       continue;
 
-    var kp = this.g.mul(k);
+    // Fix the bit-length of the random nonce,
+    // so that it doesn't leak via timing.
+    // This does not change that ks = k mod n
+    var ks = k.add(this.n);
+    var kt = ks.add(this.n);
+    var kp;
+    if (ks.bitLength() == this.n.bitLength())
+      kp = this.g.mul(kt);
+    else
+      kp = this.g.mul(ks);
+
     if (kp.isInfinity())
       continue;