On Wed, 2 Nov 2022 14:44:30 GMT, Ferenc Rakoczi <d...@openjdk.org> wrote:
>>> ... you only have one chance to measure, so cannot average out noise ... >> >> There are cases that one chance is enough to place an attack. We normally >> don't discuss vulnerability details in public, please send me an email in >> private if more details is required. >> >>> ... than again, you probably have better methods to get to the key than >>> trying to measure time. >> >> I may have to agree that better methods may exist. But better methods do >> not imply that we can let this method go. > >> > ... you only have one chance to measure, so cannot average out noise ... >> >> There are cases that one chance is enough to place an attack. We normally >> don't discuss vulnerability details in public, please send me an email in >> private if more details is required. >> >> > ... than again, you probably have better methods to get to the key than >> > trying to measure time. >> >> I may have to agree that better methods may exist. But better methods do not >> imply that we can let this method go. > > Well, I doubt this would be one of those cases you have in mind... > Your method of computing the inverse looks good to me, but I still think that > if we can achieve a better result with an existing general method then we > should do that instead of writing special ones for every curve. > I think there is a risk in having more code, too. @ferakocz Did you have further comment? What do you think if we integrate the update? ------------- PR: https://git.openjdk.org/jdk/pull/10544