2021.05.03 13:04:02 (1389173901389824001) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1389173101427142658):
Um, two decades of CHES papers?
2021.05.03 03:56:03 (1389035996398989315) from "Luca De Feo (@luca_defeo)":
If anything, the CCA fiasco shows that implementing constant-time comparison isn't easy. Can you show me a CCA-secure scheme (ECC or anything else) that doesn't need constant-time comparison?
2021.05.03 10:31:08 (1389135423641841664) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1389035996398989315):
Here's a KEM: Alice's public key is aG. Bob sends random bG as the ciphertext. The session key is a hash of (aG,bG,abG). SIKE is much more complicated than this, and has many more side-channel targets, such as the comparisons in the FO transform used to protect against GPST.
2021.05.03 10:44:38 (1389138820348579842) from Daniel J. Bernstein:
We've seen again and again, for a wide range of cryptographic functions, that implementations without expensive countermeasures are broken at low cost by physical side channels beyond timing. There are many papers quantifying this. Unquantified security claims lack credibility.
2021.05.03 13:00:51 (1389173101427142658) from "Luca De Feo (@luca_defeo)":
Sure. I'm interested in the many papers quantifying this. Could you give pointers?