Does anyone have any comment on my reasoning regarding the constant time? Here is the text:
Side Channel Security: ---------------------- This library uses multiple measures with the gaol of eliminating leakage of secret keys during cryptographic operations. Constant-time is one of these measures and is implemented for private keys when they are directly operated on (no conditional operation based on key values). The second and more effective measure that this library uses is blinding. Blinding hides the private keys by combining them with a random value. This is a fact that constant-time implementation does not necessarily translate to constant-power-consumption, constant-electro-magnetic-radiation and so on. It also depends on how the underlying hardware manipulates different circuitry for each operation. For example, a hardware multiplier may use the primitive technique of shift-and-conditional-add or it may use barrel shifter when multiplying a power of 2 number. Blinding is the more effective measure with less performance penalty. Constant-time alone, pushes attackers to dig deeper for clues. On Sun, Jun 21, 2015 at 10:33 AM, Salz, Rich <[email protected]> wrote: > > > This high-key-bit leak is only saved by X25519's insistence on setting > the > > highest bit to 1 on every secret key. > > This is not a coincidence. Djb was the first, and is still one of the > few, cryptographers who think about it from a full systems approach and > design things so that proper implementation is relatively easy. > _______________________________________________ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
