On 3/26/25 19:06, NIIBE Yutaka via Gcrypt-devel wrote:
[...] For the first improvement, I realized that runtime checks in ec_mod and its friends could be leaky, because it depends on how small/big the value is.
Could these checks instead be improved to run in constant time?
Since it is (or can be) precondition for those routines in the code of libgcrypt, it can be removed. Since it could be leaky, it's good to be removed.
Hypothetically, if those preconditions are violated, what could go wrong? How badly does the math fall apart? Could an invalid result potentially (partially) expose the signing key?
Removing runtime checks in this type of code makes me nervous. Maybe it is just paranoia.
-- Jacob
_______________________________________________ Gcrypt-devel mailing list Gcrypt-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
