Uh, users almost never want ElGamal encryption. It has a few interesting applications, but its very easy to make insecure systems using it. Where it's used it should be packaged up into a complete protocol that handles the footgunnery.<p>This claims to have constant time operations, but the addition law is very clearly not constant time: <a href="https://github.com/Bren2010/ecc/blob/master/src/curves.rs#L93" rel="nofollow">https://github.com/Bren2010/ecc/blob/master/src/curves.rs#L9...</a> Likewise, the field operations are not constant time. Simply doing both the 1 and 0 path and throwing the other side out is not generally adequate to achieve constant time behaviour when the underlying operations are variable time (and also see, for example, the flush/reload attacks in the literature).<p>Also the field operations appear to be variable time. (So, it looks like the inversions to convert back to affine would leak shared secret data for ECDH, or information about the nonce in ECDSA.) It looks like the reduction in kinv alone would likely leak log2(k^-1) pretty directly in timing, so if you could capture some large number of signatures with a single key you could probably recover it, potentially even remotely. (Not trying to be harsh here, OpenSSL is just as bad for their generic code... but if someone is advertised as constant time, it ought to meet the strongest definition of it since the caller is not going to be a cryptographer and he's going to treat it as a black box and inevitably use it in the most exploitable way possible. :) )<p>General question about rust: Is there any way to reliably write constant time code in it? Or are you always at the mercy of the compiler undermining you? E.g. happily unrolling loops, optimizing out dummy operations, and turning branchless comparisons into branchy ones. (I wouldn't have expected that would be, since there isn't really in C; unless you're able to audit the compiler output ... and rust is even higher level).
If anyone is interested in rust and cryptography, we have a meetup this Thursday in San Francsico focused on it:<p><a href="http://www.meetup.com/Rust-Bay-Area/events/210632582/" rel="nofollow">http://www.meetup.com/Rust-Bay-Area/events/210632582/</a><p>We are currently full, but we are live streaming it on:<p><a href="https://air.mozilla.org/bay-area-rust-meetup-december-2014/" rel="nofollow">https://air.mozilla.org/bay-area-rust-meetup-december-2014/</a><p>We also have about 10-15 people unrsvp the day-of, so there is a chance spots for free up between now and then.