2017.08.29 08:20:11 (902415565435830273) from Daniel J. Bernstein:
The recommendation in https://eprint.iacr.org/2017/806 (reject some inputs to libgcrypt's variable-time code) is incompetent. System still breakable.
2017.08.29 08:29:30 (902417909431009280) from Daniel J. Bernstein:
The attack in the paper artificially focuses on low-order points, but variable-time code _leaks secrets_ even if those points are rejected.
2017.08.29 08:34:18 (902419117218689025) from Daniel J. Bernstein:
What actually stops all of these timing attacks (in the original Curve25519 paper, in NaCl, and in broad usage today) is constant-time code.
2017.08.29 08:45:38 (902421969177640960) from Daniel J. Bernstein:
Tools to build and verify constant-time code are becoming increasingly easy to use and increasingly convincing. Clearly the right direction.
2017.08.29 08:49:07 (902422845069946880) from Daniel J. Bernstein:
We have one success story after another of constant-time code. Attackers who can't break it tell us to make it more complicated? Ridiculous.
2017.08.29 09:00:55 (902425816163811329) from Daniel J. Bernstein:
We need the trusted crypto code base to be small enough + simple enough to convincingly verify. Unnecessary complexity interferes with this.