SECURITY: fix timing variability in backend/serial/u32/scalar.rs

dalek-cryptography / curve25519-dalek

A pure-Rust implementation of group operations on Ristretto and Curve25519

Other

850 stars 416 forks source link

Closed tarcieri closed 3 weeks ago

tarcieri commented 3 weeks ago

Similar security fix to #659, but for the 32-bit backend. See that PR for more information about the problem.

rozbb commented 3 weeks ago

Relevant compiler outputs (thanks to @tarcieri):

Without fix. Notice the jns ("jump if not sign") instruction on line 106.

tarcieri commented 3 weeks ago

@rozbb the godbolt links might be worth including in the commit message when you squash-and-merge