Author: Gregory Maxwell 2014-03-05 21:44:30
Published on: 2014-03-05T21:44:30+00:00
In a thread from March 5th, 2014, Eric Lombrozo discussed the implementation of a constant-time constant-cache-access-pattern secp256k1. This implementation would sacrifice some performance when signing but could be achieved through branchless implementations of field and group operations. However, it is important to note that branchless does not necessarily mean side-channel free. On non-trivial hardware, uniform memory accesses are required as well. Additionally, even with uniform memory access, there may still be vulnerabilities to power analysis attacks, which would require differential logic to mitigate. Therefore, reusing addresses should still be avoided, and a blinding approach may still be necessary even if an implementation is believed to be hardened against side-channels.
Updated on: 2023-05-19T18:13:39.911596+00:00