From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WLJcE-00053B-CC for bitcoin-development@lists.sourceforge.net; Wed, 05 Mar 2014 21:44:38 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.215.47 as permitted sender) client-ip=209.85.215.47; envelope-from=gmaxwell@gmail.com; helo=mail-la0-f47.google.com; Received: from mail-la0-f47.google.com ([209.85.215.47]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WLJcD-0006aj-He for bitcoin-development@lists.sourceforge.net; Wed, 05 Mar 2014 21:44:38 +0000 Received: by mail-la0-f47.google.com with SMTP id y1so1148595lam.34 for ; Wed, 05 Mar 2014 13:44:31 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.112.138.10 with SMTP id qm10mr4742411lbb.19.1394055870927; Wed, 05 Mar 2014 13:44:30 -0800 (PST) Received: by 10.112.189.164 with HTTP; Wed, 5 Mar 2014 13:44:30 -0800 (PST) In-Reply-To: <0720C223-E9DD-4E76-AD6F-0308CA5B5289@gmail.com> References: <0720C223-E9DD-4E76-AD6F-0308CA5B5289@gmail.com> Date: Wed, 5 Mar 2014 13:44:30 -0800 Message-ID: From: Gregory Maxwell To: Eric Lombrozo Content-Type: text/plain; charset=UTF-8 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (gmaxwell[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WLJcD-0006aj-He Cc: Bitcoin Development Subject: Re: [Bitcoin-development] New side channel attack that can recover Bitcoin keys X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2014 21:44:38 -0000 On Wed, Mar 5, 2014 at 1:31 PM, Eric Lombrozo wrote: > If we don't mind sacrificing some performance when signing, there's a fairly > simple way to implement a constant-time constant-cache-access-pattern > secp256k1. > It is based on the idea of branchless implementations of the field and group > operations. Do take care that branchless doesn't mean side-channel free: On non-trivial hardware you must have uniform memory accesses too. (and that itself isn't enough for sidechannel freeness against an attacker that can do power analysis... then you star worrying about the internal structure your primitive adders and the hamming weight of your numbers, and needing to build hardware that uses differential logic, and yuck yuck yuck: This is why you still shouldn't reuse addresses, and why a blinding approach may still be sensible, even if you believe your implementation is hardened against side-channels)