Hi, the table listing security properties at [1] notes that secp256k1 curve fails in these two categories, among others:
a) Ladders Does this mean that an implementation of secp256k1 is likely to have timing side-channel attacks? Is there some suitable analogy of RSA blinding that could be used (multiplication by a random number, then its inverse, to hide timing)? b) Completeness Like in "ladders" case, this implies that a timing branch/cache side channel is likely in an actual implementation due to the need to check for special cases? I just quickly scanned the referenced paper [2], but I probably don't understand the full implications :-) [1] http://safecurves.cr.yp.to/ [2] http://eprint.iacr.org/2007/286 Ondrej _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
