skirillo
commented
5 years ago Agree, the branching inside secret data processing in the way to the loss of the secret. Unfortunately the problem is not limited by “branching” only. Another side of the “constant-execution-time” is data access. So both control flow and data access pattern should not have any “visible” (or “measured”) secret data dependence.
I don’t think we need documented list of “constant-execution-time” primitives. Suggesting that any part of primitive targeted on processing secret data should have “constant-execution-time” property. (it slightly different from property applied for whole primitive) If the other detected in result of inside or outside activity the team fix it. We are trying to be proactive here improving our tests in terms of security validation.
Customer security is our goal. And attack resistance is one of the important component here.
Several cryptography primitives are using branching which might leave secret keys open to side-channel attacks.
Can we have a a document that details which primitives are constant-time and which are not? Also is side-channel attack resistance a goal?