Re: BoringSSL private key loading is not constant time

[Alex Gaynor <alex.gaynor () gmail com>]

I missed this talk at the OpenSSL Conference last week. And I don't
know what _precise_ claims the BoringSSL folks have made.

But it seems to me any claim like "there are no timing side-channels"
has to have an implicit "relevant to a threat model". It's _surely_
the case that many functions in any library exhibit timing
variability, but if this can't be used to leak anything confidential,
it's not really an attack of note. In this case, as I understand it,
the only thing that's alleged to be leaked is the length of a key,
which already wasn't confidential.

Alex

On Mon, Oct 13, 2025 at 11:07 PM Peter Gutmann
<pgut001 () cs auckland ac nz> wrote:
> Jeffrey Walton <noloader () gmail com> writes:
>
> > What does the attacker learn besides the key length?  Isn't that mostly
> > public information, like the TLS options used during cipher suite
> > negotiation?
>
> It's a proof-of-concept from a very entertaining talk at the OpenSSL
> conference, "Constant-Time BIGNUM Is Bollocks".  The BoringSSL folks had
> claimed there were no timing side-channels in their code, this demonstrates a
> timing side-channel.
>
> Admittedly not a terribly useful one :-).
>
> Peter.



-- 
All that is necessary for evil to succeed is for good people to do nothing.