[openssl-dev] curve25519

Mehdi Sotoodeh mehdisotoodeh at gmail.com
Sun Jun 21 17:05:53 UTC 2015


Hi Aaron,
Did you look at the text regarding side channel security on the front page?
It is located towards the end of page and I think you missed it.
My reasoning is the fact that the goal of constant time is not achievable
by software only approaches. A lot depends on the underlying hardware.

Thanks
mehdi.

On Sun, Jun 21, 2015 at 7:53 AM, Aaron Jones <aaronmdjones at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 20/06/15 23:24, Mehdi Sotoodeh wrote:
> > [...] Major features of this library include: [...] *
> > Constant-time (partially) and blinding support for side channel
> > security.
>
> I really have to question the wisdom of adding implementations
> of Curve25519 and/or Ed25519 that are not completely constant-
> time.
>
> The almost entire design goal was to produce a scheme that does
> not perform branches on secret data (branch predictor timing
> attack), load from secret addresses (cache timing attack), etc
> etc.
>
> Adding blinding support only serves to (attempt to) correct the
> mistake of introducing timing attacks in the first place.
>
> - --
> Aaron Jones
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVhs/vAAoJEG6FTA+q1M6kTb4QALX1F9I1mOiddk1OoyVDRuC3
> CsFWNl9WJiPCBipW3YIwi4QfZhrOgLBWajaTXfkZ3+hvOFBzJDouciIOi/dYe2sI
> Evs2Dfa4d6C1KzZ3VpMP/EFbHPuuEXvE+KY4qZd1aoVrPYsbLNBrAK/swAkmOJ4b
> zKGB+jUi1hziwYLB/fDCcozPVzN57F3SAd6MSSPaSDm7iADdrK9N0OvtNJsl/KF4
> GoYLrSNwbUjEfFV0bI+IjHxK8r2GLX/0t/d1LrEazjeiIpOtUB4mVKZwFMjmPrhZ
> 63CVZVutpPOxfl5WXzpEY5armoF+vT/Z1ZZFD3jzdu2tspJ5OuLEGH+mwiI0EEJV
> eF6zPmhlUrmO9RxtRgTNBuYhXp3U+/lOihfrSA0jxpdr2+xFpVDk2i4S+dp5Hq7y
> 7bRSRHHCfzvziTjF34wANctCz6UWKKCn6Uw4QXgDaLkVcU4PQtwPtrMWXZdcpuH5
> iEL0v8IHreLiA6Jgf8uuZErzNm9iKDoE8F676l+ep8Uze2TR6zGRDVanl7tfeW34
> Lgh+gissiF289Sv/7InxKD+tA3/k7qA8MjL8gt5XEqV1HvXCR5HxL+R6sm7rrLh9
> CsfnLtkewBNxmGGnCaYRP7lTW2MQJXmbtejhJH0pu9loX/MTddZuiErIgwZWnchF
> YXeYK6jV4IpnzflfXrnX
> =qRQd
> -----END PGP SIGNATURE-----
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150621/8f6624c5/attachment.html>


More information about the openssl-dev mailing list