Remember that P-256 carry bug a while back from @FiloSottile/@thecomp1ler/@Cloudflare ?
Here's the bug: https://github.com/golang/go/issues/20040 …
And here's what happen when you get a single bit wrong in a crypto algorithm: https://events.ccc.de/congress/2017/Fahrplan/events/9021.html …
Either just pick something huge, or measure over a largeish random set of ops & go a bit larger.
-
-
"You must use one of a small # of bleeding-edge ISAs to do crypto safely" is not something I consider a viable position.
-
Fair enough, I can respect that. For me, “all crypto opts must take the maximum theoretical execution time on my device” is not a viable position either.
-
I actually have alternate possible solutions based on pseudo-const-time vm interp & const-time algorithms inside the vm, but also very costly.
End of conversation
New conversation -
-
-
That's not enough: constant time is also about *CPU* time.
-
I think you missed the lack of any sleep there.
-
task scheduling can change the amount of while loop iterations. Moreover, careful statistical sampling + large server load can help recover the actual algorithm CPU cost.
End of conversation
New conversation -
-
-
Huge is the only answer that can work, because otherwise you still risk timing attacks if the attacker can overload your machine such that execution time of the code dominates k. Resisting this attack requires slowing all crypto opts down to the slowest they could possibly run.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.