Although I can't think of a practical scenario where a typical user would ever be exposed to this, yes, the concern is side-channel attacks (e.g., a timing attack):
( ... cut a lot of helpful links, quote and explanations ... )I think deterministic signatures are much more important than constant-time signatures (there's been a non-trivial amount of funds lost due to the repeat k-value problem but I doubt a single satoshi has ever been lost due to a genuine side-channel attack). Someone like gmaxwell could comment better on the practical risks here
I concur with all you said. I think that Pieter Wuille took a chance to snap in this "constant time" thing while writing libsecp256k1. What seems weird to me is that they don't mention the main advantage of replacing OpenSSL with such "custom made" signing tool:
speed.
Quoting a
gmaxwell's email to the bitocoin-development mailing list (related to the headers-first sync feature):
(I'm using 295k as the target here because after that point ecdsa
dominates, and then your 6+x faster libsecp256k makes more of a
difference)
(bold is mine)
about that matter, this is an interesting post on reddit by gmaxwell (aka nullc):
to make a long story short: while working on this new libsecp256k1 Pieter Wuille and Greg Maxwell found a new OpenSSL flaw (CVE-2014-3570).
@cypher, this quote could be interesting to you:
This library is part of what Pieter and I are working on at Blockstream.