top | item 19751322

(no title)

We are aware of the the issues brought up in [0] and [1]. As suggested in [2], we are already considering to switch to an implementation in WebAssembly to mitigate the possibility of timing attacks on the web platform.

In our mobile and desktop apps, where timing attack resistance is easier to achieve, the X25519 implementation is already constant-time.

Once they are generated, keys are controlled by our users and not easily updated, so we wanted to make our choice of default curve as future-proof as we could while balancing speed and interoperability.

[0]: https://github.com/indutny/elliptic/issues/128

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861639#10

[2]: https://github.com/openpgpjs/openpgpjs/issues/720

discuss

No comments yet.