MV-02-005 OpenPGP.js: Not all elliptic curve primitives are constant time (Low)

[cure53]

It was found that the elliptic curve ciphers offered by OpenPGP.js are exposed by different providers depending on the underlying client platform. Some curves (secp256k1, all brainpool variants, Curve25519 and ED25519) are only exposed via the elliptic.js provider. That provider does not appear to implement constant-time logic for elliptic curve operations.

For Curve25519 and ED25519, this less of a problem since these curves use the Montgomery elliptic curve equations, which are almost always constant time but with some notable exceptions. However, OpenPGP.js will always run scalar multiplication operations on the other curves in non-constant time. This is because Edwards curves and Weierstrass curves require custom logic in order to behave in a constant time fashion.

Affected Code:
https://github.com/openpgpjs/elliptic.git

Since JavaScript makes constant-time execution more difficult to reliably achieve, there exists no sure-fire recommendation for achieving constant time operation on these primitives in the current library. Instead, we recommend simply prioritizing the migration in to lower-level implementations. These can be eventually provided by NodeCrypto (which uses OpenSSL) and WebCrypto.

However, recent research interest in producing constant time primitives in WebAssembly may also lead to easily loadable web libraries that perform all ECC operations in constant time in the near future.