Does ECVRF_prove use constant-time point multiplication? - Githubissues

r2ishiguro / vrf

a VRF implementation following this ietf draft: https://tools.ietf.org/html/draft-goldbe-vrf-00

Apache License 2.0

21 stars 6 forks source link

Does ECVRF_prove use constant-time point multiplication? #1

Open algoradam opened 6 years ago

algoradam commented 6 years ago

We're confused about part of the ECVRF_prove function. ECVRF_prove calls GeScalarMult to multiply h by the secret scalar x. GeScalarMult calls edwards25519.GeDoubleScalarMultVartime on x, which appears to implement variable-time point multiplication. This would seem to suggest that timing attacks on ECVRF_prove could leak the secret key x. Are we missing something? Call chain: https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/vrf_ed25519.go#L62 https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/vrf_ed25519.go#L245 https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/edwards25519/edwards25519.go#L877 https://github.com/r2ishiguro/vrf/blob/master/go/vrf_ed25519/edwards25519/edwards25519.go#L901 (variable time sliding window exponentiation)

r2ishiguro commented 6 years ago

Thanks for pointing out. Tried to make it a little less variable time. Check it out.