curve: use constant-time compressed equality testing

dalek-cryptography / curve25519-dalek

A pure-Rust implementation of group operations on Ristretto and Curve25519

Other

850 stars 416 forks source link

curve: use constant-time compressed equality testing #669

Open AaronFeickert opened 4 days ago

AaronFeickert commented 4 days ago

In line with the safety goals, this PR ensures that CompressedRistretto equality testing is always done in constant time.

Previous work in #229 implemented ConstantTimeEq for CompressedRistretto, but this is not used for Eq equality testing. It's already the case that RistrettoPoint and Scalar perform all equality testing in constant time; this PR unifies this behavior for compressed points as well.

AaronFeickert commented 4 days ago

Note that dalek-cryptography/subtle#131 would also supply a marker trait that could be useful here to signal this "all equality is constant time" behavior.