On Mon, 31 Oct 2022 17:19:21 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
> > ... you only have one chance to measure, so cannot average out noise ... > > There are cases that one chance is enough to place an attack. We normally > don't discuss vulnerability details in public, please send me an email in > private if more details is required. > > > ... than again, you probably have better methods to get to the key than > > trying to measure time. > > I may have to agree that better methods may exist. But better methods do not > imply that we can let this method go. Well, I doubt this would be one of those cases you have in mind... Your method of computing the inverse looks good to me, but I still think that if we can achieve a better result with an existing general method then we should do that instead of writing special ones for every curve. I think there is a risk in having more code, too. ------------- PR: https://git.openjdk.org/jdk/pull/10544
