Gregory Maxwell [ARCHIVE] on Nostr: 📅 Original date posted:2014-03-05 📝 Original message:On Wed, Mar 5, 2014 at ...
📅 Original date posted:2014-03-05
📝 Original message:On Wed, Mar 5, 2014 at 1:31 PM, Eric Lombrozo <elombrozo at gmail.com> wrote:
> If we don't mind sacrificing some performance when signing, there's a fairly
> simple way to implement a constant-time constant-cache-access-pattern
> secp256k1.
> It is based on the idea of branchless implementations of the field and group
> operations.
Do take care that branchless doesn't mean side-channel free: On
non-trivial hardware you must have uniform memory accesses too.
(and that itself isn't enough for sidechannel freeness against an
attacker that can do power analysis... then you star worrying about
the internal structure your primitive adders and the hamming weight of
your numbers, and needing to build hardware that uses differential
logic, and yuck yuck yuck: This is why you still shouldn't reuse
addresses, and why a blinding approach may still be sensible, even if
you believe your implementation is hardened against side-channels)
📝 Original message:On Wed, Mar 5, 2014 at 1:31 PM, Eric Lombrozo <elombrozo at gmail.com> wrote:
> If we don't mind sacrificing some performance when signing, there's a fairly
> simple way to implement a constant-time constant-cache-access-pattern
> secp256k1.
> It is based on the idea of branchless implementations of the field and group
> operations.
Do take care that branchless doesn't mean side-channel free: On
non-trivial hardware you must have uniform memory accesses too.
(and that itself isn't enough for sidechannel freeness against an
attacker that can do power analysis... then you star worrying about
the internal structure your primitive adders and the hamming weight of
your numbers, and needing to build hardware that uses differential
logic, and yuck yuck yuck: This is why you still shouldn't reuse
addresses, and why a blinding approach may still be sensible, even if
you believe your implementation is hardened against side-channels)