From f2481be09d3b66949cd174ea31538044b352d87c Mon Sep 17 00:00:00 2001
From: J08nY <johny@neuromancer.sk>
Date: Sun, 6 Oct 2019 11:02:54 +0200
Subject: [PATCH] Apply nonce bit-length mitigation to stop timing leakage.

 - See https://minerva.crocs.fi.muni.cz for more info.
---
 lib/ecdsa/sign.rb | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/ecdsa/sign.rb b/lib/ecdsa/sign.rb
index d009a93..ad1da2c 100644
--- a/lib/ecdsa/sign.rb
+++ b/lib/ecdsa/sign.rb
@@ -25,10 +25,17 @@ def self.sign(group, private_key, digest, temporary_key)
 
     # Second part of step 1: Select ephemeral elliptic curve key pair
     # temporary_key was already selected for us by the caller
-    r_point = group.new_point temporary_key
+    point_field = PrimeField.new(group.order)
+    k = point_field.mod(temporary_key)
+    ks = k + group.order
+    kt = ks + group.order
+    if ECDSA.bit_length(ks) == ECDSA.bit_length(group.order)
+      r_point = group.new_point kt
+    else
+      r_point = group.new_point ks
 
     # Steps 2 and 3
-    point_field = PrimeField.new(group.order)
+    
     r = point_field.mod(r_point.x)
     return nil if r.zero?