Re: BoringSSL private key loading is not constant time

[Demi Marie Obenour <demiobenour () gmail com>]

On 10/14/25 10:23, Alex Gaynor wrote:
> I missed this talk at the OpenSSL Conference last week. And I don't
> know what _precise_ claims the BoringSSL folks have made.
>
> But it seems to me any claim like "there are no timing side-channels"
> has to have an implicit "relevant to a threat model". It's _surely_
> the case that many functions in any library exhibit timing
> variability, but if this can't be used to leak anything confidential,
> it's not really an attack of note. In this case, as I understand it,
> the only thing that's alleged to be leaked is the length of a key,
> which already wasn't confidential.

It appears to be the number of trailing zero bytes in an elliptic
curve secret key.  That lets an attacker narrow the search space,
but that is all.

> Alex
>
> On Mon, Oct 13, 2025 at 11:07 PM Peter Gutmann
> <pgut001 () cs auckland ac nz> wrote:
> > Jeffrey Walton <noloader () gmail com> writes:
> >
> > > What does the attacker learn besides the key length?  Isn't that mostly
> > > public information, like the TLS options used during cipher suite
> > > negotiation?
> >
> > It's a proof-of-concept from a very entertaining talk at the OpenSSL
> > conference, "Constant-Time BIGNUM Is Bollocks".  The BoringSSL folks had
> > claimed there were no timing side-channels in their code, this demonstrates a
> > timing side-channel.
> >
> > Admittedly not a terribly useful one :-).
> >
> > Peter.


-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature