Conversation
| // Package partiallyblindrsa implements a partially blind RSA protocol. | ||
| // | ||
| // Warning: The per-request derivation of the metadata-specific key uses | ||
| // math/big and is not constant time in the private key. |
There was a problem hiding this comment.
| // math/big and is not constant time in the private key. | |
| // math/big and may therefore leak the private key via a timing side channel. |
There was a problem hiding this comment.
I think it's better to write a bit about this in README.md (todo). Better to mark where things are not constant time for now.
| // by Victor Shoup [1]. | ||
| // | ||
| // Warning: Sign operations rely on math/big and are not constant time in the | ||
| // secret key share. Pass a non-nil random source to Sign to enable blinding. |
There was a problem hiding this comment.
Do you mean "blinding" as in "masking side channels" or "blinding factor in a cryptographic operation"? If the former, mention how the random source is used for masking.
It also seems a bit weird that randomness source controls this behavior. What else is the randomness source used for in this function?
There was a problem hiding this comment.
Blinding is the standard way to do this for RSA: it's rare for RSA to be implemented in constant time. I'd rather mention the fact then give a lecture in the comments.
lukevalenta
left a comment
There was a problem hiding this comment.
Approved pending addressing Chris' comments
Uh oh!
There was an error while loading. Please reload this page.