My understanding is that we're concerned that any function over the secret-key (or something derived from it), must take time independent of the input value. Here are possible issues I see
Those are what I have for now, more review is definitely needed.
My understanding is that we're concerned that any function over the secret-key (or something derived from it), must take time independent of the input value. Here are possible issues I see
scalarmulttakes time ine, and inpublickey()eis a function ofsk, not sure if this is a concern (it's a function of the magnitude ofe, which may not correlate with an individual value)encodepoint(as called frompublickey()),y >> iis probably not timing independent, it's time is a function of the magnitude ofy.publickeyandsignature2 ** i * bit(h, i)takes time in the magnitude of the bit fromh(his computed from thesha256ofsk, so perhaps it can't be reversed?)Those are what I have for now, more review is definitely needed.