On Tue, Apr 7, 2015 at 6:55 PM, Brian Warner <[email protected]> wrote: > Of course it's very much not constant-time, and a lot slower than a C > implementation. But a pure-python library is, in practice, much easier > to depend upon than one that requires a C compiler.
I applaud you for seeking public review; but doesn't your remark above mean that many people will use it, because its easy, even if their actual (and perhaps not completely known to them) security requirements demand that it not have timining sidechannels (or memory leaks)? (Especially that seems odd when also talking about SPAKE2, ... a complex zero knowledge password based key agreement having a timing leak that might even be visible on the network would be really unfortunate.) _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
