Is num-bigint modpow() cryptographically appropriate

Is https://docs.rs/num-bigint/0.2.2/num_bigint/struct.BigInt.html#method.modpow cryptographically appropriate? In particularly is it constant time?

I can see from reading the source that it is not constant time for even moduli, but I am wondering about odd moduli?

If it isn’t can people recommend a big number library that is suitable for use in cryptographic constructions?

Constant time is not a design consideration for num-bigint. Even if it happens to be so today for some operations, I would happily accept changes that improve performance in non-constant ways.

4 Likes

Didn’t look num-bigint’s code yet, but generally bigints are implemented as a union of inlined number and a vector of it. So even simple reading of it will or will not require memory indirection and thus possible cache miss based on runtime value, which is a HUGE difference in cryptographic context.

1 Like

Thank you. Particularly the second part of your answer is important for planning.

Thank you. Yes, timing is only the most obvious side channel to consider. But if functions don’t even attempt to address timing attacks, I can assume that they will make no effort to address others.