Elliptic Leading Zero Vulnerability in ECDSA Implementation Allows Key Exposure

A vulnerability exists in the Elliptic package's ECDSA implementation, all versions through 6.6.1, where incorrect signature generation can occur. This issue arises because the interim value of 'k', as calculated according to RFC 6979, can be improperly truncated if it contains leading zeros. This flaw not only creates invalid signatures that disrupt legitimate transactions but also, under certain conditions, allows attackers to derive the private key by combining a faulty signature from the vulnerable version with a correct signature for the same inputs.

Impact

Exploitation of this vulnerability can lead to unauthorized exposure of the private key used in the ECDSA signing process.

Reproduction

To reproduce this vulnerability, install the Elliptic package and use it to generate a signature with a message that causes the leading zero issue. The generated signature will be incorrect. This can be verified by comparing it to a signature produced by a correct implementation, such as the @noble/curves package.

Remediation

Users are advised to upgrade to Elliptic version 6.6.3, available through the HeroDevs Never-Ending Support program, and to invalidate any private keys used with vulnerable versions.