Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Judging from the context below and my limited knowledge of NaCL, this is incorrect. It uses the same algorithms but with the ASM removed. Since, I believe, one of the points of the ASM was removing timing attacks, removing it is not an inherently safe operation. Not saying anyone did anything wrong, just people should be careful and someone should probably check. This is not just a wrapper around NaCL.


The C versions (mostly reference implementations) in NaCl are constant time. The assembly code is there for performance.


Well, maybe they are constant time today. But it is difficult to make wagers about the future of C compilers.


Everything that doesn't have assembler versions of all their constant time code (even NaCl under x86/x64) will be vulnerable then. It's possible that compilers start to "optimize" the branchless constructs, but it would almost be malicious as they extremely rare to ever encounter outside of specifically wanting not to branch.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: