core/crypto: Add more documentation about assumptions (NFC)

author: Yawning Angel <yawning@schwanenlied.me> 2024-03-24 22:52:21 +0900
committer: Yawning Angel <yawning@schwanenlied.me> 2024-04-09 10:23:58 +0900
commit: a43a5b053c1d1e931eeb56d65e6a40f634a0b94f (patch)
tree: 91e9180db6d0b640a3beb5b70ed9d67b0cc31fe8 /core/crypto/README.md
parent: a14f0d8f58f602a2a658120c83b0df7e31e7cc6b (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/core/crypto/README.md b/core/crypto/README.md
index 1e4e41fb8..303b1f625 100644
--- a/core/crypto/README.md
+++ b/core/crypto/README.md
@@ -14,6 +14,14 @@ constant-time byte comparison.
 - Best-effort is make to mitigate timing side-channels on reasonable
   architectures.  Architectures that are known to be unreasonable include
   but are not limited to i386, i486, and WebAssembly.
+- Implementations assume a 64-bit architecture (64-bit integer arithmetic
+  is fast, and includes add-with-carry, sub-with-borrow, and full-result
+  multiply).
+- Hardware sidechannels are explicitly out of scope for this package.
+  Notable examples include but are not limited to:
+  - Power/RF side-channels etc.
+  - Fault injection attacks etc.
+  - Hardware vulnerabilities ("apply mitigations or buy a new CPU").
 - The packages attempt to santize sensitive data, however this is, and
   will remain a "best-effort" implementation decision.  As Thomas Pornin
   puts it "In general, such memory cleansing is a fool's quest."
author	Yawning Angel <yawning@schwanenlied.me>	2024-03-24 22:52:21 +0900
committer	Yawning Angel <yawning@schwanenlied.me>	2024-04-09 10:23:58 +0900
commit	a43a5b053c1d1e931eeb56d65e6a40f634a0b94f (patch)
tree	91e9180db6d0b640a3beb5b70ed9d67b0cc31fe8 /core/crypto/README.md
parent	a14f0d8f58f602a2a658120c83b0df7e31e7cc6b (diff)