Hi, On Thu, 2016-10-20 at 13:47 +0200, Leonard den Ottolander wrote: > The point Bernstein makes in the article I referenced is not so much > that the NIST curves are suspect (for the reasons you mention) but the > fact that the ECDSA algorithm itself is such that it is virtually > impossible to implement in such a way that the code uses constant time. > This opens the door for side channel (timing) attacks. The fact that you > use a "nothing up my sleeve" curve does not change that fact. Rereading the article I'm not sure again if my last statement is correct... Perhaps Bernsteins objections against ECDSA are against ECDSA +NIST-curves (because those use parameters that make a constant time implementation hard?) and not vs ECDSA as such. "Every natural implementation of ECDSA" is a bit ambiguous in this respect... Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research