ed25519 icon indicating copy to clipboard operation
ed25519 copied to clipboard
verified publisher icon pyca

Review for timing attacks

Open alex opened this issue 12 years ago • 2 comments

My understanding is that we're concerned that any function over the secret-key (or something derived from it), must take time independent of the input value. Here are possible issues I see

  • [ ] scalarmult takes time in e, and in publickey() e is a function of sk, not sure if this is a concern (it's a function of the magnitude of e, which may not correlate with an individual value)
  • [ ] In encodepoint (as called from publickey()), y >> i is probably not timing independent, it's time is a function of the magnitude of y.
  • [ ] In publickey and signature 2 ** i * bit(h, i) takes time in the magnitude of the bit from h (h is computed from the sha256 of sk, so perhaps it can't be reversed?)

Those are what I have for now, more review is definitely needed.

alex avatar Oct 05 '13 18:10 alex

Hopefully the third might be solved by #17

The second would include both encodepoint and encodeint

Ivoz avatar Oct 06 '13 16:10 Ivoz

This should be closeable after #19.

gnprice avatar Nov 02 '13 09:11 gnprice