An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before
2.7.15. An attacker that can get precise enough side-channel measurements
can recover the long-term ECDSA private key by (1) reconstructing the
projective coordinate of the result of scalar multiplication by exploiting
side channels in the conversion to affine coordinates; (2) using an attack
described by Naccache, Smart, and Stern in 2003 to recover a few bits of
the ephemeral scalar from those projective coordinates via several
measurements; and (3) using a lattice attack to get from there to the
long-term ECDSA private key used for the signatures. Typically an attacker
would have sufficient access when attacking an SGX enclave and controlling
the untrusted OS.
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):needs-triage
Ubuntu 20.04 LTS (Focal Fossa):needs-triage
Ubuntu 20.10 (Groovy Gorilla):needs-triage
More Information

Updated: 2020-04-29 19:14:26 UTC (commit bd6a073bfafc38621ce8c443b88e12892f0b4449)