The microblog: 2017.08.29 08:20:11

2017.08.29 08:20:11 (902415565435830273) from Daniel J. Bernstein:

The recommendation in (reject some inputs to libgcrypt's variable-time code) is incompetent. System still breakable.

2017.08.29 08:29:30 (902417909431009280) from Daniel J. Bernstein:

The attack in the paper artificially focuses on low-order points, but variable-time code _leaks secrets_ even if those points are rejected.

2017.08.29 08:34:18 (902419117218689025) from Daniel J. Bernstein:

What actually stops all of these timing attacks (in the original Curve25519 paper, in NaCl, and in broad usage today) is constant-time code.

2017.08.29 08:45:38 (902421969177640960) from Daniel J. Bernstein:

Tools to build and verify constant-time code are becoming increasingly easy to use and increasingly convincing. Clearly the right direction.

2017.08.29 08:49:07 (902422845069946880) from Daniel J. Bernstein:

We have one success story after another of constant-time code. Attackers who can't break it tell us to make it more complicated? Ridiculous.

2017.08.29 09:00:55 (902425816163811329) from Daniel J. Bernstein:

We need the trusted crypto code base to be small enough + simple enough to convincingly verify. Unnecessary complexity interferes with this.