Re: [TLS] Constant-time Algorithms

David Benjamin <> Tue, 18 May 2021 15:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BB1753A1862 for <>; Tue, 18 May 2021 08:58:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.947
X-Spam-Status: No, score=-9.947 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HcSeutSFnRig for <>; Tue, 18 May 2021 08:58:37 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 89B193A1861 for <>; Tue, 18 May 2021 08:58:37 -0700 (PDT)
Received: by with SMTP id k15so7309080pgb.10 for <>; Tue, 18 May 2021 08:58:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WDRrp+YAlDxRgKpaBayN4y2h14pliMa0YW4Wysn/CEs=; b=Rb+lSP17UNRDMpYITlGsKL+yLh1Rh2Raizee75MxINDOA9ZQ8a3QABOpFcjy/5K/47 4z46oukhTOJW+73zFaOlgtJq4WGj7fvE15onNaeN+87IisxNKlKWhzgCWL97kD+Q8bqK ZnnE78CQZlRvxIBRg0ZfZAFSgocSUwJJj/+iE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WDRrp+YAlDxRgKpaBayN4y2h14pliMa0YW4Wysn/CEs=; b=dOmOHenAZR/a8lFUn+Bpg+SLMnVumLSVTdpr543VuGKEDfQGH2oQygTXdfSLkGiusp rYqwA/B2ygWt/kd5Kniag+4PykjdSLStmroJrH6ZFW3hS74meNGN20DAKN6klmtWT5xb JMr2SWmG+Zb/gzQZ7Da68BRFo/EBNvUnVj7Ot+IAsRJ8HNv3BfTOpjqioMFwxR+Q+GGP A38vGIk9hsqdMn9/xLFAuio2ZDjiksBquICs0yTckMRIPr451Dl0JB80518gycuO4rLw /sWYle8FY6yTyx2iWE28wf8ZsPTKYYqmRSfTQuycPWIe12dAYoWUvQZhKbBwgj9Pk6Rt xEpQ==
X-Gm-Message-State: AOAM530hWU3pQwYrhl6Y0fKcmxD37T4A+ndQjEuW0sAveqtquYDOo47H AuGSZ0o+LTpty47twjq/mi6VblWj4+nn1YZIQ+uI
X-Google-Smtp-Source: ABdhPJybhdogS9I7IAVZVqYIlwdGK4NYXhONDue6jL+WIu7Xy7iogCO3Z8fvPLaXBvjihgx2UKqWS/vyOhEiilGdYGU=
X-Received: by 2002:aa7:9f5c:0:b029:2de:a5f0:d73b with SMTP id h28-20020aa79f5c0000b02902dea5f0d73bmr2659979pfr.41.1621353516158; Tue, 18 May 2021 08:58:36 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: David Benjamin <>
Date: Tue, 18 May 2021 11:58:19 -0400
Message-ID: <>
To: "Michael D'Errico" <>
Cc: "<>" <>
Content-Type: multipart/alternative; boundary="0000000000006362b705c29cc83c"
Archived-At: <>
Subject: Re: [TLS] Constant-time Algorithms
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 18 May 2021 15:58:42 -0000

I don't know of any list, but everything that deals with secrets has some
constant-time portion. This applies to both long-lived and ephemeral
secrets, and includes clients and servers. How practical an attack is
depends on many factors, including the application itself, but I think we
have ample evidence by now that constant-time should be a default baseline
requirement for implementing any cryptographic primitive.

Usually and preferably, the constant-time portions are in the cryptographic
primitives themselves, rather than TLS. But depending on how the
implementation is structured, this can leak into TLS itself, particularly
with flawed legacy modes. The legacy RSA key exchange uses a broken
encryption mode and needs to avoid the Bleichenbacher attack, and the
legacy CBC cipher suites use a broken MAC-then-encrypt construction and
needs to avoid the Lucky 13 attack. This is among many reasons they were
removed in TLS 1.3.


On Mon, May 17, 2021 at 7:57 PM Michael D'Errico <>

> Also, is it necessary for a TLS client to care about implementing
> algorithms in constant time, or is this only of concern to servers?
> Thanks,
> Mike
> On 5/14/21 14:56, Michael D'Errico wrote:
> Hi,
> Is there a list somewhere stating which parts of TLS
> require constant-time algorithms?
> Mike
> _______________________________________________
> TLS mailing list