2017.08.28 06:20:42 (902023109921951745) from Daniel J. Bernstein, replying to "Aris Adamantiadis ☠ (@aris_ada)" (901885868176265218):
The paper says "my Curve25519 software is already immune to timing attacks". It doesn't say "Curve25519 is immune to libgcrypt". Nothing is.
2017.08.27 18:43:54 (901847754686828544) from "Frank ⚡ (@jedisct1)":
libgcrypt CVE-2017-0379 - side-channel attack on Curve25519 https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=da780c8183cccc8f533c8ace8211ac2cb2bdee7b
2017.08.27 20:53:47 (901880438431645696) from "Dmitry Chestnykh / Stop the war! (@dchest)":
TIL Curve25519 in libgcrypt is not constant-time 🤷♂️ https://twitter.com/jedisct1/status/901847754686828544
2017.08.27 21:15:21 (901885868176265218) from "Aris Adamantiadis ☠ (@aris_ada)", replying to "Dmitry Chestnykh / Stop the war! (@dchest)" (901880438431645696):
Basically the first design criteria of curve25519 was that it'd be easy to make constant-time. Big fail.