search

henrycg / balloon

A memory-hard password hashing function.
https://crypto.stanford.edu/balloon/
ISC License
63 stars 17 forks source link

Non-constant time base64 #7

Open Sc00bz opened 3 years ago

Sc00bz commented 3 years ago

You should be using a constant time base64 encode/decode. I'd suggest using: https://github.com/Sc00bz/ConstTimeEncoding

pro465 commented 1 year ago

what does that mean? skimming over the c++ src, it seems to be O(N) time...

jedisct1 commented 1 year ago

what does that mean? skimming over the c++ src, it seems to be O(N) time...

Table lookups are not guaranteed to be free of side channels.

pro465 commented 1 year ago

oh so that's what you meant. thanks for the speedy response @jedisct1, and yeah i guess then @Sc00bz is right about saying that the author "should be using" that, even though it sounded like they are advertising their library.

henrycg commented 1 year ago

Please feel free to open a PR for this and I can review and merge it.