On Wednesday, 1 July 2020 at 07:49:27 UTC, Arafel wrote:
As somebody who also was somewhat involved in infosec and
cryptography in a previous life, I found your article really
interesting. So, first of all, thanks for taking the time to do
the review and for publishing the results!
I see that you mostly focus on the algorithms, but did you also
check for side-channel attacks (for instance, timing attacks),
or given the flaws already found it would make little sense to
go deeper?
Fixing the issues from the article would require a huge amount of
code changes, so I saw little point in timing the library as is.
It must do the right thing before doing it the right way.
I find that following a well-known algorithm is just the easy
part when implementing crypto... the hard one is ironing out
those pesky "implementation details". That's one of the reasons
why I would try to use one of the "big" libraries for
cryptography instead of rolling out my own, even if it meant
adding an external C/C++ dependency to my project.
I can definitely vouch for that.
