The draft says "this algorithm MUST NOT be used in applications where the VRF input alpha must be kept secret" because of possible timing attacks. However, timing attacks may be not possible in some settings, may be mitigated in others, and anyway, as the draft itself says, the leakage is very small (expected 1 bit). Does MUST NOT really belong there?
The draft says "this algorithm MUST NOT be used in applications where the VRF input alpha must be kept secret" because of possible timing attacks. However, timing attacks may be not possible in some settings, may be mitigated in others, and anyway, as the draft itself says, the leakage is very small (expected 1 bit). Does MUST NOT really belong there?