Author: Eric Lombrozo 2014-03-05 22:14:20
Published on: 2014-03-05T22:14:20+00:00
In this conversation, Eric Lombrozo suggests a way to implement a constant-time constant-cache-access-pattern secp256k1 based on the concept of branchless implementations of the field and group operations. Gregory Maxwell warns that branchless does not necessarily mean side-channel free and uniform memory accesses are also needed for non-trivial hardware. He also mentions the importance of avoiding address reuse and using a blinding approach to protect against side-channels. The main attack point discussed is differences in how squaring and multiplication or doubling and point addition are performed in the case of field exponentiation or ECDSA, respectively. A branchless implementation where each phase of the operation executes the exact same code and accesses the exact same stack frames would not be vulnerable to FLUSH+RELOAD. The suggested approach makes doubling operations indistinguishable from point additions from the perspective of cache access. The spy program mentioned in the discussion recovers the sequence of point additions and doublings by distinguishing between consecutive doubling operations and ordering them with respect to point additions.
Updated on: 2023-06-08T03:59:08.504115+00:00