commit 8c58a3a83d30508e5093966ec72603dd0f7d6275 parent 58f8b61c7c5b4f672e21c7f277235da65e1b221c Author: Christian Grothoff <christian@grothoff.org> Date: Tue, 1 Feb 2022 20:33:00 +0100 another case where I think SHOULD is enough Diffstat:
| M | draft-schanzen-gns.xml | | | 9 | ++++++--- |
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml @@ -1168,9 +1168,12 @@ h[31] &= 7 // Implies h mod L == h zk' := h * zk ]]></artwork> <t> - We note that implementers must employ a constant time scalar - multiplication for the constructions above. Also, implementers - must ensure that the private key a is an ed25519 private key + We note that implementers SHOULD employ a constant time scalar + multiplication for the constructions above to protect against + timing attacks. Otherwise, timing attacks may leak private key + material if an attacker can predict when a system starts the + publication process. Also, implementers + MUST ensure that the private key a is an ed25519 private key and specifically that "a[0] & 7 == 0" holds. </t> <t>