> * On architectures where nistz256 is not implemented, a default
> OpenSSL build will use the generic Weierstrass implementation. I
> haven't been able to determine whether there are significant timing
> channels in that implementation.
Researches have been beating up "the generic Weierstr
I am working on implementing the SPAKE2 algorithm[1] for a krb5
pre-authentication mechanism, and would like to double-check some
conclusions I've drawn about elliptic curve implementations.
For SPAKE2, I need to compute T=xG+wM and K=x(S-wN), where x is a random
scalar, w is a scalar derived from
