Pedersen hash is not constant time

[satoshiotomakan]

A side-channel attack seeks to undermine a cryptographic system's security by analyzing its physical behaviors rather than attempting to solve its foundational mathematical challenges. This approach might involve studying aspects such as the system's timing patterns, energy usage, electromagnetic emissions, or even audible noises. By gathering this data, attackers could potentially decode and compromise the cryptographic protection.

Impact

Attackers could potentially observe the timing of the table lookups in the add_points function.

Recommendation

To mitigate such a potential side-channel attack, one could:
• Ensure all operations are constant time: This might involve using cryptographic libraries that provide constant-time operations, or carefully coding your own to avoid data-dependent branches and memory accesses.
• Use data-oblivious algorithms: These are algorithms designed to execute in the same way regardless of their input data. This ensures that an attacker cannot gain any useful information by observing their execution.

[xJonathanLEI]

This is a known issue:

starknet-rs/starknet-crypto/src/fe_utils.rs

Line 43 in 91425ad

FieldElement::from_bytes_be(&result).unwrap()

I will keep this issue open in case someone wants to contribute to add a constant-time version alongside the existing one.