[openssl-dev] curve25519
Samuel Neves
sneves at dei.uc.pt
Sun Jun 21 17:27:15 UTC 2015
On 21-06-2015 18:10, Salz, Rich wrote:
> The big thing is "avoid data-dependant jumps." For example, memcmp() always runs the full length, almost any "if" statement needs careful scrutiny, and so on.
Case in point: https://github.com/msotoodeh/curve25519/blob/master/source/curve25519_dh.c#L108-145
This high-key-bit leak is only saved by X25519's insistence on setting the highest bit to 1 on every secret key. See
https://eprint.iacr.org/2011/232 for a case without such safeguards.
More information about the openssl-dev
mailing list