On Tue, 2 May 2017 09:03:35 +0200 Christian Seiler <[email protected]> wrote: > As with the other pure JS crypto package ITP here recently [1]: has > this library been designed with timing attacks in mind? In contrast > to the first example, where upstream says that it's so slow that > nobody is probably going to use it in real life anyway [2], this > library claims to be quite fast - in which case the chance of the > library being used in actual real-life applications is higher. And > it uses the same bignum library that the other package is also > using, which doesn't appear to have been designed with timing > considerations in mind. (Which is fine for a bignum library not > intended for crypto purposes.) > > As with the previous package, the README of the project and the > other documentation does not discuss timing attacks at all, which > doesn't give me confidence that the author of the library has > thought about these issues.
This is forwarded upstream https://github.com/indutny/elliptic/issues/128
signature.asc
Description: OpenPGP digital signature
