home.social

#constant-time — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #constant-time, aggregated by home.social.

fetched live
  1. @MishaVelthuis : there may be a delay because humans prefer analysing higher level source code.

    OTOH, with my very limited knownledge of AI/LLM's, I bet that reverse engineering software (such as IDA Pro, en.wikipedia.org/wiki/Interact) will definitely benefit.

    Note that in specific cases, such as optimisation performed by compilers (typically affected by settings and/or commandline parameters), the actual code processed by a CPU may behave differently from what the source code suggests.

    For example, "constant-time cryptography" is essential in certain cases to prevent that an attacker can deduce secrets (such as encryption/decryption keys) from the time a routine takes to execute. Staring at source code may not suffice.

    #ConstantTime #SideChannelAttacks

  2. @MishaVelthuis : there may be a delay because humans prefer analysing higher level source code.

    OTOH, with my very limited knownledge of AI/LLM's, I bet that reverse engineering software (such as IDA Pro, en.wikipedia.org/wiki/Interact) will definitely benefit.

    Note that in specific cases, such as optimisation performed by compilers (typically affected by settings and/or commandline parameters), the actual code processed by a CPU may behave differently from what the source code suggests.

    For example, "constant-time cryptography" is essential in certain cases to prevent that an attacker can deduce secrets (such as encryption/decryption keys) from the time a routine takes to execute. Staring at source code may not suffice.

    #ConstantTime #SideChannelAttacks

  3. Security is hard.

    The TL;DR is: Do not lose possesion of your private key.

    Addendum: This is from a year ago to be clear. But, there are many people that have older Yubikeys that Can Not be fixed.

    ninjalab.io/eucleak/

    The attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract the ECDSA secret key. In the case of the FIDO protocol, this allows to create a clone of the FIDO device.

    All YubiKey 5 Series (with firmware version below 5.7) are impacted by the attack and in fact all Infineon security microcontrollers (including TPMs) that run the Infineon cryptographic library (as far as we know, any existing version) are vulnerable to the attack.

    yubico.com/support/security-ad

    #2FA #SideChannel #ConstantTime

  4. Security is hard.

    The TL;DR is: Do not lose possesion of your private key.

    Addendum: This is from a year ago to be clear. But, there are many people that have older Yubikeys that Can Not be fixed.

    ninjalab.io/eucleak/

    The attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract the ECDSA secret key. In the case of the FIDO protocol, this allows to create a clone of the FIDO device.

    All YubiKey 5 Series (with firmware version below 5.7) are impacted by the attack and in fact all Infineon security microcontrollers (including TPMs) that run the Infineon cryptographic library (as far as we know, any existing version) are vulnerable to the attack.

    yubico.com/support/security-ad

    #2FA #SideChannel #ConstantTime

  5. While this is a low threat, it could have been defended against at basically no cost.

    hXXps://research.kudelskisecurity.com/2017/01/16/when-constant-time-source-may-not-save-you/

    arstechnica.com/security/2024/

    #CryptoGraphy #ConstantTime

  6. While this is a low threat, it could have been defended against at basically no cost.

    hXXps://research.kudelskisecurity.com/2017/01/16/when-constant-time-source-may-not-save-you/

    arstechnica.com/security/2024/

    #CryptoGraphy #ConstantTime

  7. RT @[email protected]

    We share with you the first implementation of the SIDH-PoK from De Feo-Dobson-Galbraith-Zobernig. Additionally, we implement a signature scheme based on that PoK. #ConstantTime #CLanguage #Isogenies
    Joint work with @[email protected] and #LucasPandolfoPerin twitter.com/IACR_News/status/1

    🐦🔗: twitter.com/Jebus_dguez/status