Jacob Bachmeyer wrote: > That raises another question: is the modular reduction (or more > importantly its bypass if unneeded) constant-time? In other words, is > the choice of "use intermediate result (0<X<P) as-is" or "reduce > intermediate result (P<X<2*P)" constant-time? (It should already be; > this would be a fairly severe timing leak if it is not.)
In the context of ECDSA (Weierstrass curve), for NIST curves and secp256k1, it's constant-time. For other curves, it's good to have constant-time implementation, but this goal has not been achieved in libgcrypt yet. -- _______________________________________________ Gcrypt-devel mailing list Gcrypt-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
