Open algoradam opened 6 years ago
We're confused about part of the ECVRF_prove function. ECVRF_prove calls GeScalarMult to multiply h by the secret scalar x. GeScalarMult calls edwards25519.GeDoubleScalarMultVartime on x, which appears to implement variable-time point multiplication. This would seem to suggest that timing attacks on ECVRF_prove could leak the secret key x. Are we missing something? Call chain: https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/vrf_ed25519.go#L62 https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/vrf_ed25519.go#L245 https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/edwards25519/edwards25519.go#L877 https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/edwards25519/edwards25519.go#L901 (variable time sliding window exponentiation)
ECVRF_prove
GeScalarMult
h
x
edwards25519.GeDoubleScalarMultVartime
Thanks for pointing out. Tried to make it a little less variable time. Check it out.
We're confused about part of the
ECVRF_prove
function.ECVRF_prove
callsGeScalarMult
to multiplyh
by the secret scalarx
.GeScalarMult
callsedwards25519.GeDoubleScalarMultVartime
onx
, which appears to implement variable-time point multiplication. This would seem to suggest that timing attacks onECVRF_prove
could leak the secret keyx
. Are we missing something? Call chain: https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/vrf_ed25519.go#L62 https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/vrf_ed25519.go#L245 https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/edwards25519/edwards25519.go#L877 https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/edwards25519/edwards25519.go#L901 (variable time sliding window exponentiation)