CVE-2019-14318
Description
Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation, allowing private key recovery via lattice attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation, allowing private key recovery via lattice attacks.
Vulnerability
Crypto++ versions 8.3.0 and earlier (as far back as 3.2) contain a timing side channel in ECDSA signature generation. The scalar multiplication in ecp.cpp (prime field curves) and algebra.cpp (binary field curves) is not constant time, leaking the bit length of the scalar (nonce) among other information [1][3].
Exploitation
An attacker, local or remote, capable of measuring the duration of hundreds to thousands of ECDSA signing operations on known messages can exploit this leakage. The attacker uses a lattice attack based on the Hidden Number Problem to recover the long-term private key [1][3]. The number of required signatures ranges from 500 to 10,000 depending on noise and curve [3].
Impact
Full recovery of the ECDSA private key, enabling the attacker to forge signatures and impersonate the key owner [1].
Mitigation
As of the available references, no official fix has been documented. Users should upgrade to a patched version if available (e.g., Crypto++ 8.4.0 or later) or implement constant-time scalar multiplication to mitigate the leakage [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- Crypto++/Crypto++description
- Range: <=8.3.0
- osv-coords5 versionspkg:rpm/opensuse/libcryptopp&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/libcryptopp&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/libcryptopp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libcryptopp&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/libcryptopp&distro=SUSE%20Package%20Hub%2015%20SP1
< 5.6.5-bp151.4.3.1+ 4 more
- (no CPE)range: < 5.6.5-bp151.4.3.1
- (no CPE)range: < 5.6.5-bp151.4.3.1
- (no CPE)range: < 8.6.0-1.1
- (no CPE)range: < 5.6.5-bp151.4.3.1
- (no CPE)range: < 5.6.5-bp151.4.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Scalar multiplication in ECDSA signature generation is not constant-time, leaking the bit length of the scalar through timing side channels."
Attack vector
An attacker measures the duration of hundreds to thousands of ECDSA signing operations performed by the victim. The non-constant-time scalar multiplication in ecp.cpp (prime field curves) and algebra.cpp (binary field curves) leaks the bit length of the scalar and other secret-dependent timing information [ref_id=1]. By collecting these timing measurements, the attacker can apply lattice-based techniques (the Hidden Number Problem) to recover the full ECDSA private key [ref_id=1]. The attack can be carried out locally or remotely, as long as the attacker can observe signing operation durations.
Affected code
The vulnerable code is in scalar multiplication routines within ecp.cpp (prime field curves, small leakage) and algebra.cpp (binary field curves, large leakage) of Crypto++ 8.3.0 and earlier [ref_id=1]. These functions are not constant-time and leak the bit length of the scalar during ECDSA signature generation.
What the fix does
The advisory does not include a patch or specific remediation code. It recommends implementing constant-time scalar multiplication to eliminate secret-dependent timing variations [ref_id=1]. The suggested countermeasures ensure that the execution path and duration of scalar multiplication do not depend on the bit length or value of the scalar, closing the timing side channel exploited by the attack [ref_id=1].
Preconditions
- networkAttacker must be able to observe the duration of signing operations (local or remote timing measurement).
- inputVictim must perform hundreds to thousands of ECDSA signing operations while the attacker can measure their timing.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.opensuse.org/opensuse-security-announce/2019-08/msg00066.htmlmitrevendor-advisoryx_refsource_SUSE
- www.openwall.com/lists/oss-security/2019/10/02/2mitremailing-listx_refsource_MLIST
- eprint.iacr.org/2011/232.pdfmitrex_refsource_MISC
- github.com/weidai11/cryptopp/issues/869mitrex_refsource_MISC
- minerva.crocs.fi.muni.czmitrex_refsource_MISC
- tches.iacr.org/index.php/TCHES/article/view/7337mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.