A timing attack has been published for signatures created with the ecdsa package on the P-256 curve.
As far as I can tell (grepping for NIST256p), P-256 usage in the bitbox02 package is restricted to verifying signatures. I would therefore conclude that the bitbox02 package is not affected by the vulnerability. Do you agree?
A timing attack has been published for signatures created with the
ecdsa
package on the P-256 curve.As far as I can tell (grepping for
NIST256p
), P-256 usage in thebitbox02
package is restricted to verifying signatures. I would therefore conclude that thebitbox02
package is not affected by the vulnerability. Do you agree?