On 11/22/22 11:59 AM, Simo Sorce wrote: > On Tue, 2022-11-22 at 17:13 +0100, Fabio Valentini wrote: >> - rust-curve25519-dalek > > Asymmetric cryptography in pure rust should not be used, there is still > no support in the language for constant time operations, which means > there is a fat chance these implementations are susceptible to trivial > timing attacks. > > The only caveat is if the "pure rust" implementation actually embeds > assembly optimization for modular arithmetic that are explicitly > addressing constant time computation. > > I am not aware of that being the case in any rust libraries yet. FWIW, they do make claims about this: https://github.com/dalek-cryptography/curve25519-dalek/issues/157 https://github.com/dalek-cryptography/curve25519-dalek/blob/main/README.md#safety > All operations are implemented using constant-time logic (no > secret-dependent branches, no secret-dependent memory accesses), > unless specifically marked as being variable-time code. We believe > that our constant-time logic is lowered to constant-time assembly, at > least on x86_64 targets. > > As an additional guard against possible future compiler > optimizations, the subtle crate places an optimization barrier before > every conditional move or assignment. More details can be found in > the documentation for the subtle crate. We package rust-subtle as well, so that's probably a useful trail to any crates that are claiming pure-rust constant-time cryptography. Anyway, I'll leave it to cryptography experts to verify these claims. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
