nettle: Side-channel silence

1 
1 6.7.3.1 Side-channel silence
1 ............................
1 
1 Nettle’s implementation of the elliptic curve operations is intended to
1 be side-channel silent.  The side-channel attacks considered are:
1 
1    • Timing attacks If the timing of operations depends on secret
1      values, an attacker interacting with your system can measure the
1      response time, and infer information about your secrets, e.g., a
1      private signature key.
1 
1    • Attacks using memory caches Assume you have some secret data on a
1      multi-user system, and that this data is properly protected so that
1      other users get no direct access to it.  If you have a process
1      operating on the secret data, and this process does memory accesses
1      depending on the data, e.g, an internal lookup table in some
1      cryptographic algorithm, an attacker running a separate process on
1      the same system may use behavior of internal CPU caches to get
1      information about your secrets.  This type of attack can even cross
1      virtual machine boundaries.
1 
1    Nettle’s ECC implementation is designed to be “side-channel silent”,
1 and not leak any information to these attacks.  Timing and memory
1 accesses depend only on the size of the input data and its location in
1 memory, not on the actual data bits.  This implies a performance penalty
1 in several of the building blocks.
1