Elliptic-curve cryptography is full of edge cases, math pitfalls, and side-channel traps.
* Your implementation produces incorrect results for some rare curve points.
* Your implementation leaks secret data when the input isn't a curve point.
* Your implementation leaks secret data through branch timing.
* Your implementation leaks secret data through cache timing.
This is why NIST curves should be retired in favor of Curve25519 and other newer designs that care actual secure implementation in mind, not only theoretical security.
Curve25519 is designed to be more immune to implementation pitfalls. There is no invalid curve attack in Curve25519, secret-dependent branching can be avoided easily, etc.
1 comment
[ 2.2 ms ] story [ 11.7 ms ] thread* Your implementation produces incorrect results for some rare curve points.
* Your implementation leaks secret data when the input isn't a curve point.
* Your implementation leaks secret data through branch timing.
* Your implementation leaks secret data through cache timing.
This is why NIST curves should be retired in favor of Curve25519 and other newer designs that care actual secure implementation in mind, not only theoretical security.
Curve25519 is designed to be more immune to implementation pitfalls. There is no invalid curve attack in Curve25519, secret-dependent branching can be avoided easily, etc.
https://safecurves.cr.yp.to/