Constant-time bigint arithmetic #172
Comments
|
I guess we will need that for the fancy EC stuff coming up?! I'm just going to put it out there: we won't have the time to implement this ourselves |
|
Constant-time modular arithmetic is not that complicated. |
|
(and yes, this is another crypto building block, and is needed for timing side channel security of #169) |
As in the oldest joke in IT:
I know it is conceptually easy, but with all the leaky abstractions, pulling it off cross-platform might be a bit of a challenge. I have no doubt we could pull it off for the JVM and using C/C++ for native targets, given we actually find the time to do it. KMP though… not sure. Maybe I'm too pessimistic. Also: priorities… |
|
Priorities are why it's an issue, not a PR. |
As mentioned in #169, it doesn't matter whether our EC math (or operations building on it) are constant time if the underlying modular arithmetic is not constant time.
Investigate whether the underlying modular arithmetic is constant time. (I am fairly certain that it is not.) If it is actually not, consider how we can implement CT ops when operating with secrets (without paying the overhead for public ops).
The text was updated successfully, but these errors were encountered: