|
|
|
|
|
|
by Retr0id
1533 days ago
|
|
|
It's not just the randomness requirement, but also the requirement that k (the "random" nonce) remains secret. Without a sufficiently constant-time implementation, you leak information about k through timing sidechannels - and with clever tricks like lattice reduction you can recover the key with surprisingly little information. |
|
|