[openssl-dev] curve25519
Mehdi Sotoodeh
mehdisotoodeh at gmail.com
Sun Jun 21 21:56:32 UTC 2015
Does anyone have any comment on my reasoning regarding the constant time?
Here is the text:
Side Channel Security:
----------------------
This library uses multiple measures with the gaol of eliminating leakage of
secret
keys during cryptographic operations. Constant-time is one of these
measures and
is implemented for private keys when they are directly operated on (no
conditional
operation based on key values).
The second and more effective measure that this library uses is blinding.
Blinding
hides the private keys by combining them with a random value.
This is a fact that constant-time implementation does not necessarily
translate to
constant-power-consumption, constant-electro-magnetic-radiation and so on.
It also
depends on how the underlying hardware manipulates different circuitry for
each
operation. For example, a hardware multiplier may use the primitive
technique of
shift-and-conditional-add or it may use barrel shifter when multiplying a
power of
2 number.
Blinding is the more effective measure with less performance penalty.
Constant-time alone, pushes attackers to dig deeper for clues.
On Sun, Jun 21, 2015 at 10:33 AM, Salz, Rich <rsalz at akamai.com> wrote:
>
> > This high-key-bit leak is only saved by X25519's insistence on setting
> the
> > highest bit to 1 on every secret key.
>
> This is not a coincidence. Djb was the first, and is still one of the
> few, cryptographers who think about it from a full systems approach and
> design things so that proper implementation is relatively easy.
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150621/1c6d2748/attachment.html>
More information about the openssl-dev
mailing list