You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It was found that the elliptic curve ciphers offered by OpenPGP.js are exposed by different providers depending on the underlying client platform. Some curves (secp256k1, all brainpool variants, Curve25519 and ED25519) are only exposed via the elliptic.js provider. That provider does not appear to implement constant-time logic for elliptic curve operations.
For Curve25519 and ED25519, this less of a problem since these curves use the Montgomery elliptic curve equations, which are almost always constant time but with some notable exceptions. However, OpenPGP.js will always run scalar multiplication operations on the other curves in non-constant time. This is because Edwards curves and Weierstrass curves require custom logic in order to behave in a constant time fashion.
Since JavaScript makes constant-time execution more difficult to reliably achieve, there exists no sure-fire recommendation for achieving constant time operation on these primitives in the current library. Instead, we recommend simply prioritizing the migration in to lower-level implementations. These can be eventually provided by NodeCrypto (which uses OpenSSL) and WebCrypto.
However, recent research interest in producing constant time primitives in WebAssembly may also lead to easily loadable web libraries that perform all ECC operations in constant time in the near future.
The text was updated successfully, but these errors were encountered:
It was found that the elliptic curve ciphers offered by OpenPGP.js are exposed by different providers depending on the underlying client platform. Some curves (secp256k1, all brainpool variants, Curve25519 and ED25519) are only exposed via the elliptic.js provider. That provider does not appear to implement constant-time logic for elliptic curve operations.
For Curve25519 and ED25519, this less of a problem since these curves use the Montgomery elliptic curve equations, which are almost always constant time but with some notable exceptions. However, OpenPGP.js will always run scalar multiplication operations on the other curves in non-constant time. This is because Edwards curves and Weierstrass curves require custom logic in order to behave in a constant time fashion.
Affected Code:
https://github.com/openpgpjs/elliptic.git
Since JavaScript makes constant-time execution more difficult to reliably achieve, there exists no sure-fire recommendation for achieving constant time operation on these primitives in the current library. Instead, we recommend simply prioritizing the migration in to lower-level implementations. These can be eventually provided by NodeCrypto (which uses OpenSSL) and WebCrypto.
However, recent research interest in producing constant time primitives in WebAssembly may also lead to easily loadable web libraries that perform all ECC operations in constant time in the near future.
The text was updated successfully, but these errors were encountered: