-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/01/14 14:26, Krisztián Pintér wrote: > Ondrej Mikle (at Saturday, January 11, 2014, 11:19:30 PM): > >> a) Ladders Does this mean that an implementation of secp256k1 is >> likely to have timing side-channel attacks? > > "likely" might be a strong word. for some curves, an implementor > must choose between a safe and a fast and simple implementation. [...] >> b) Completeness Like in "ladders" case, this implies that a >> timing branch/cache side channel is likely in an actual >> implementation due to the need to check for special cases? > > yep, but i would question the use of "likely" again. unlucky > curves lead to an implementation nightmare, which will, no doubt, > be trimmed down every now and again, especially because it doesn't > affect normal operations, and speeds things up.
Hi Krisztián, Thanks for this explanation. If I'm stuck with an 'unlucky' curve for reasons of compatibility, can you give me any advice about checking the implementation for the problems you mention, either by inspecting the code or through test cases? It seems to me that some of the problems listed on safecurves.cr.yp.to could be caught by tests - for example special cases in the addition formulas. Other problems could be caught by looking at the source code - - for example we could check that the implementation uses the Brier-Joye ladder and checks that points are on the curve. But maybe there are other problems that are harder to catch? It would be useful to know which curves, if any, can be made safe through the right implementation choices, and which are unsavable. Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJS08poAAoJEBEET9GfxSfM0YMH/R1jOf7UcPTS89TWxTKMHtN6 DJQ0e24sfxt0IAn66HhYjmcAISaolsCRBnIVApmpWyPKv6HEmRHaKUF7VMrolylr pu/FKfpjdUGrekk+pDBLiZz7Ufg0ssBt/tPn/XXBwWSQZ5RKN5rl7JO9PXhqVqKy qwvZykerdKqNghlGKwHNlqiPn9Lh2M3876meYqlbtS1dCYO1H4r22cDMZQ3KOtuP Fkyf28KGKJ2ipl30iENaco/qS3pBqqfmFnT7CyfbAyr3oVVmodky9QSfynNlFPK6 ytlUuE4bRnRw42v9SMu+Q3QsEBjo1CeCSlhcafQn0Srz/eHBP4HHOYpMtdA9UvM= =Jjx7 -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
