On 2015-06-10, Mehdi Sotoodeh <mehdisotoodeh@xxxxxxxxx> wrote: > I have developed a compact at the same time high performance library for > curve25519/ed25519 and I have placed it in the public domain. It support DH > key exchange as well as ed25519 keygen, sign and verify. The implementation > is constant-time, supports blinding, bulk-verify and more. ^^^^^^^^^^^^^ I'm skeptical of this claim. The ecp_Cmp() function is blatantly not constant-time, and strewn about the source there are various unbalanced if(...) branches and while(...) loops with a variable number of iterations. -- Christian "naddy" Weisgerber naddy@xxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev