Add X448 known-answer tests and benchmark coverage#33
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| func scalarMultX448(out *[x448PointSize]byte, scalar *[x448ScalarSize]byte, point *[x448PointSize]byte) { | ||
| var k [x448ScalarSize]byte | ||
| copy(k[:], scalar[:]) | ||
| clampScalarX448(k[:]) | ||
| x1 := decodeLittleEndian(point[:]) | ||
| x2 := big.NewInt(1) | ||
| z2 := big.NewInt(0) |
There was a problem hiding this comment.
The new X448 implementation builds the Montgomery ladder using math/big operations (scalarMultX448), which allocate and branch based on operand size. These operations are not constant‑time and leak information about the private scalar through timing differences, violating the project’s requirement for constant‑time ECDH primitives. Because the method is now exposed via NewX448 and used in Hybrid KEMs, an attacker who can measure timings during a key exchange can recover bits of the secret scalar. Consider replacing the big‑integer arithmetic with constant‑time field routines similar to the standard library’s X25519/X448 implementations.
Useful? React with 👍 / 👎.
1 participant
Summary
Testing
https://chatgpt.com/codex/tasks/task_e_68fb54baac7c8325bbb49ff272fbc962