📅 Original date posted:2014-03-05
📝 Original message:On Wed, Mar 5, 2014 at 1:31 PM, Eric Lombrozo <elombrozo at gmail.com> wrote:
> If we don't mind sacrificing some performance when signing, there's a fairly
> simple way to implement a constant-time constant-cache-access-pattern
> secp256k1.
> It is based on the idea of branchless implementations of the field and group
> operations.
Do take care that branchless doesn't mean side-channel free: On
non-trivial hardware you must have uniform memory accesses too.
(and that itself isn't enough for sidechannel freeness against an
attacker that can do power analysis... then you star worrying about
the internal structure your primitive adders and the hamming weight of
your numbers, and needing to build hardware that uses differential
logic, and yuck yuck yuck: This is why you still shouldn't reuse
addresses, and why a blinding approach may still be sensible, even if
you believe your implementation is hardened against side-channels)
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 15:14:45
in reply to nevent1q…q3rn
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 15:14:45Event JSON
{
"id": "b3884d9786da1e94e636f6093afada7be5d8a41451c0d57c727d08ee8045df1a",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686150885,
"kind": 1,
"tags": [
[
"e",
"d46bd1a40c3d916ca1e2c015ea0a2210ec8d4fdd9116c09aec6725abac0dd67f",
"",
"root"
],
[
"e",
"0b96382c6454bca0f4e4875db23869a6c45912f0bec5771c71d5d8bf0d7043f5",
"",
"reply"
],
[
"p",
"e899768d254f3537af7e26455968583632d0ab0bd4c780445eacfa087ac80d8f"
]
],
"content": "📅 Original date posted:2014-03-05\n📝 Original message:On Wed, Mar 5, 2014 at 1:31 PM, Eric Lombrozo \u003celombrozo at gmail.com\u003e wrote:\n\u003e If we don't mind sacrificing some performance when signing, there's a fairly\n\u003e simple way to implement a constant-time constant-cache-access-pattern\n\u003e secp256k1.\n\u003e It is based on the idea of branchless implementations of the field and group\n\u003e operations.\n\nDo take care that branchless doesn't mean side-channel free: On\nnon-trivial hardware you must have uniform memory accesses too.\n\n(and that itself isn't enough for sidechannel freeness against an\nattacker that can do power analysis... then you star worrying about\nthe internal structure your primitive adders and the hamming weight of\nyour numbers, and needing to build hardware that uses differential\nlogic, and yuck yuck yuck: This is why you still shouldn't reuse\naddresses, and why a blinding approach may still be sensible, even if\nyou believe your implementation is hardened against side-channels)",
"sig": "00b455e4d3ca483afc281b35e513855036225b3dde5f2dd59cb529f4ec89d4ef7ff56a066c279558977da354ef471c02b819f27a5d52ca380c7ad2afea3f97ab"
}