if ((v[31] & 0x80) != 0)
{
mula_small(v, v , 0, ORDER, 32, 1);
}
Don't do this. The time required to run the code should NEVER depend on input data. This makes timing attacks possible (depending how to the methods are used).
If this is fixed it should be incorporated into main client.
You want to say, alternative USING LOOP to find proper x is better?
(on a sidenote, current implementation of Curve most likely
IS susceptible to timing attack, but that shouldn't be a problem - network lag would screw your timings a lot)
edit oh and also that:
NOW, signing is actually:
v * temp, where temp is related ONLY to PUBLIC key. (v is dependent ONLY on the data)
...
(whatever old one leaks is up to you, I know it doesn't, cause it's NOT related directly to private key)
seems doctorevil said the same:
Iruu's mention of a possible timing attack doesn't really apply to the patch. The impact on the timing of sign() that the changes make only leak data about values that are already public.