Re: BoringSSL private key loading is not constant time

[Billy Brumley <bbb () iki fi>]

> It appears to be the number of trailing zero bytes in an elliptic
> curve secret key.  That lets an attacker narrow the search space,
> but that is all.

Thank you, that's accurate from the science perspective.

Yet more importantly, the implementation is not constant time in the 
accepted model we've been using since 2004. It seems BoringSSL has their 
own definition for that, better suiting their business model -- 
"alternative facts"

BBB

--
Dr. Billy B. Brumley, D.Sc. (Tech.)
Research Director, ESL Global Cybersecurity Institute (GCI)
Kevin O'Sullivan Endowed Professor, Department of Cybersecurity (CSEC)
Director, Platform Security Laboratory (PLATSEC)
Rochester Institute of Technology
Cybersecurity Hall 70-1770
100 Lomb Memorial Drive
Rochester, NY, 14623-5608, USA
S/MIME public key: https://people.rit.edu/bbbics/bbbics () rit edu crt
S/MIME public key: https://people.rit.edu/bbbics/bbb () iki fi crt
https://www.rit.edu/directory/bbbics-billy-brumley
https://www.rit.edu/cybersecurity/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature