Pure Python Data Mangling or Encrypting
Steven D'Aprano
steve at pearwood.info
Sat Jun 27 13:58:02 EDT 2015
On Sun, 28 Jun 2015 03:35 am, Steven D'Aprano wrote:
> On Sun, 28 Jun 2015 01:09 am, Ian Kelly wrote:
>> The time to obfuscate a single byte is constant,
>
> Are you sure about that? Bet your house? How about your computer?
Correction: the example I showed uses str, not bytes.
With bytes, the timing differences are much smaller. Are they statistically
distinguishable? Don't know. On my machine, they appear to be, although
that could be just a fluke. Is there a guarantee that bytes.translate will
always be constant time per byte? No of course not. Might the application
itself some day start using str.translate? Who knows?
The point is, you cannot rely on this. Preventing leakage is *hard*.
--
Steven
More information about the Python-list
mailing list