another case where I think SHOULD is enough

author: Christian Grothoff <christian@grothoff.org> 2022-02-01 20:33:00 +0100
committer: Christian Grothoff <christian@grothoff.org> 2022-02-01 20:33:00 +0100
commit: 8c58a3a83d30508e5093966ec72603dd0f7d6275 (patch)
tree: da49a3ea566c149fd7d91deb0efab7057d92620d
parent: 58f8b61c7c5b4f672e21c7f277235da65e1b221c (diff)
download: lsd0001-8c58a3a83d30508e5093966ec72603dd0f7d6275.tar.gz
lsd0001-8c58a3a83d30508e5093966ec72603dd0f7d6275.zip
1 files changed, 6 insertions, 3 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index acc5b55..36c6999 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -1168,9 +1168,12 @@ h[31] &= 7  // Implies h mod L == h
 zk' := h * zk
           ]]></artwork>
         <t>
-           We note that implementers must employ a constant time scalar
+           We note that implementers SHOULD employ a constant time scalar
-           multiplication for the constructions above. Also, implementers
+           multiplication for the constructions above to protect against
-           must ensure that the private key a is an ed25519 private key
+           timing attacks. Otherwise, timing attacks may leak private key
+           material if an attacker can predict when a system starts the
+           publication process. Also, implementers
+           MUST ensure that the private key a is an ed25519 private key
           and specifically that "a[0] &#38; 7 == 0" holds.
         </t>
         <t>
author	Christian Grothoff <christian@grothoff.org>	2022-02-01 20:33:00 +0100
committer	Christian Grothoff <christian@grothoff.org>	2022-02-01 20:33:00 +0100
commit	8c58a3a83d30508e5093966ec72603dd0f7d6275 (patch)
tree	da49a3ea566c149fd7d91deb0efab7057d92620d
parent	58f8b61c7c5b4f672e21c7f277235da65e1b221c (diff)
download	lsd0001-8c58a3a83d30508e5093966ec72603dd0f7d6275.tar.gz lsd0001-8c58a3a83d30508e5093966ec72603dd0f7d6275.zip