2 Matching Annotations
  1. Nov 2022
    1. From the Introduction to Ed25519, there are some speed benefits, and some security benefits. One of the more interesting security benefits is that it is immune to several side channel attacks: No secret array indices. The software never reads or writes data from secret addresses in RAM; the pattern of addresses is completely predictable. The software is therefore immune to cache-timing attacks, hyperthreading attacks, and other side-channel attacks that rely on leakage of addresses through the CPU cache. No secret branch conditions. The software never performs conditional branches based on secret data; the pattern of jumps is completely predictable. The software is therefore immune to side-channel attacks that rely on leakage of information through the branch-prediction unit. For comparison, there have been several real-world cache-timing attacks demonstrated on various algorithms. http://en.wikipedia.org/wiki/Timing_attack

      Further arguments that Ed25519 is less vulnerable to - cache-timing attacks - hyperthreading attacks - other side-channel attacks that rely on leakage of addresses through CPU cache Also boasts - no secret branch conditions (no conditional branches based on secret data since pattern of jumps is predictable)

      Predicable because underlying process that generated it isn't a black box?

      Could ML (esp. NN, and CNN) be a parallel? Powerful in applications but huge risk given uncertainty of underlying mechanism?

      Need to read papers on this

    2. More "sales pitch" comes from this IETF draft: While the NIST curves are advertised as being chosen verifiably at random, there is no explanation for the seeds used to generate them. In contrast, the process used to pick these curves is fully documented and rigid enough so that independent verification has been done. This is widely seen as a security advantage, since it prevents the generating party from maliciously manipulating the parameters. – ATo Aug 21, 2016 at 7:25

      An argument why Ed25519 signature alg & Curve 25519 key exchange alg is more secure; less vulnerable to side attacks since the process that generates is have been purportedly verified and extensively documented.