On 21-06-2015 18:10, Salz, Rich wrote: > The big thing is "avoid data-dependant jumps." For example, memcmp() always > runs the full length, almost any "if" statement needs careful scrutiny, and > so on.
Case in point: https://github.com/msotoodeh/curve25519/blob/master/source/curve25519_dh.c#L108-145 This high-key-bit leak is only saved by X25519's insistence on setting the highest bit to 1 on every secret key. See https://eprint.iacr.org/2011/232 for a case without such safeguards. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
