Am Tue, 17 Feb 2015 10:43:12 +0100 schrieb Marcel Fourné:
Am Sat, 7 Feb 2015 11:53:42 -0500 schrieb Patrick Mylund Nielsen:
In other words, Haskell eliminates several classes of errors, but doesn't prevent logic errors, and can do nothing about poor standards.
Aside from this, I think the main issues would be:
- Timing resistance: This is not as simple as sprinkling some bitwise operations on your crypto code. It took a long time to figure out even the basics in OpenSSL, and for better and worse it's more difficult to intuit what your Haskell code will be compiled to than it is with C (though C compilers have been known to optimize away constant-time code.) [...] (3) No branches based on the content of bits of the secret key.
Basically, an encoding of the advice[0] Peter Schwabe gave at ShmooCon 2015 for C-like languages translate well to Haskell, but having typecheckable timing attack resistance would be nicer. Cheers, Marcel Fourné [0]:https://cryptojedi.org/peter/data/shmoocon-20150118.pdf