Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WLCRC-0008Oj-UZ for bitcoin-development@lists.sourceforge.net; Wed, 05 Mar 2014 14:04:46 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.223.177 as permitted sender) client-ip=209.85.223.177; envelope-from=pieter.wuille@gmail.com; helo=mail-ie0-f177.google.com; Received: from mail-ie0-f177.google.com ([209.85.223.177]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WLCRC-0000hr-Cd for bitcoin-development@lists.sourceforge.net; Wed, 05 Mar 2014 14:04:46 +0000 Received: by mail-ie0-f177.google.com with SMTP id rl12so1042908iec.22 for ; Wed, 05 Mar 2014 06:04:41 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.42.97.193 with SMTP id p1mr4698914icn.32.1394028281060; Wed, 05 Mar 2014 06:04:41 -0800 (PST) Received: by 10.50.141.135 with HTTP; Wed, 5 Mar 2014 06:04:41 -0800 (PST) In-Reply-To: References: Date: Wed, 5 Mar 2014 15:04:41 +0100 Message-ID: From: Pieter Wuille To: Jean-Paul Kogelman Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (pieter.wuille[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WLCRC-0000hr-Cd Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] New side channel attack that can recover Bitcoin keys X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2014 14:04:47 -0000 On Wed, Mar 5, 2014 at 2:18 PM, Jean-Paul Kogelman wrote: >> As far as I know, judging from the implementation, there is hardly any >> effort to try to prevent timing attacks. >> > > Is it safe to assume that this is also true for your secp256k1 implementation? I've done some preliminary work on making it leak less, but it's by no means guaranteed to be constant time either (so better assume it is not). -- Pieter