Closed gopherbot closed 9 years ago
Absolutely, neither crypto/elliptic nor crypto/rsa is constant time (although the latter uses blinding.) Writing constant time implementations is a lot of work. I've written a constant time P224 in C++, which could be ported: http://src.chromium.org/viewvc/chrome/trunk/src/crypto/p224.cc?revision=108903&view=markup (although it's simple rather than fast.) The constant time P256 and P521 that I wrote are the OpenSSL implementations (crypto/ec/ecp_nistp256.c). However, they're designed for 64-bit machines and use a 64-bit full-mult, which Go doesn't have native support for. (math/big uses asm to get at it on platforms that support it.)
Labels changed: added priority-low, packagechange, removed priority-medium.
I'll do a change this week to add a comment on Unmarshal that verification may be needed. In the most common case it's not needed at all, and in some cases one needs to verify subgroup membership (which is very expensive), so I don't think one size can fit all.
Labels changed: added go1.2, removed priority-someday.
Status changed to Started.
For the NIST curves subgroup membership verification is automatic with validating curve membership. The lack of validation of curve membership, together with the fact that the Jacobian addition formula and doubling formula do not depend on the curve, lead to an easy attack on Diffie-Hellman implementations using them without validation, by picking points on curve of smooth orders.
crypto/elliptic is not limited groups with a small cofactor w.r.t. subgroups. But, on the other hand, all current uses of ECDH in the Go code are ephemeral so picking a different curve isn't useful for an attacker. So I can't prescribe a validation that's sufficient and minimal for everyone. At this level of the code, some understanding is required. Higher-level, friendly APIs are implemented in go.crypto/nacl/box.
CL https://golang.org/cl/2421 mentions this issue.
by watsonbladd: