From 41395cb1944856a123aa48dab9ef52482c8fd09c Mon Sep 17 00:00:00 2001
From: Hannes Mehnert <hannes@mehnert.org>
Date: Sat, 17 Feb 2024 16:20:37 +0100
Subject: [PATCH] ec: turn the claims lower, refer to edwin's post

---
 articles/speeding-ec-string.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/articles/speeding-ec-string.md b/articles/speeding-ec-string.md
index d343aba..d3c3162 100644
--- a/articles/speeding-ec-string.md
+++ b/articles/speeding-ec-string.md
@@ -18,7 +18,7 @@ TL;DR: replacing cstruct with string, we gain a factor of 2.5 in performance.
 
 ## Mirage-crypto-ec
 
-In April 2021 We published our implementation of [elliptic curve cryptography](https://hannes.robur.coop/Posts/EC) (as `mirage-crypto-ec` opam package) - this is DSA and DH for NIST curves P224, P256, P384, and P521, and also Ed25519 (EdDSA) and X25519 (ECDH). We use [fiat-crypto](https://github.com/mit-plv/fiat-crypto/) for the cryptographic primitives, which emits C code that by construction is free of timing side channels (by not having any data-dependent branches). More C code (such as `point_add`, `point_double`, and further 25519 computations including tables) have been taken from the BoringSSL code base. A lot of OCaml code originates from our TLS 1.3 work in 2018, where Etienne Millon, Nathan Rebours, and Clément Pascutto interfaced [elliptic curves for OCaml](https://github.com/mirage/fiat/) (with the goal of being usable with MirageOS).
+In April 2021 We published our implementation of [elliptic curve cryptography](https://hannes.robur.coop/Posts/EC) (as `mirage-crypto-ec` opam package) - this is DSA and DH for NIST curves P224, P256, P384, and P521, and also Ed25519 (EdDSA) and X25519 (ECDH). We use [fiat-crypto](https://github.com/mit-plv/fiat-crypto/) for the cryptographic primitives, which emits C code that by construction is correct (note: earlier we stated "free of timing side-channels", but this is a huge challenge, and as [reported by Edwin Török](https://discuss.systems/@edwintorok/111925959867297453) likely impossible on current x86 hardware). More C code (such as `point_add`, `point_double`, and further 25519 computations including tables) have been taken from the BoringSSL code base. A lot of OCaml code originates from our TLS 1.3 work in 2018, where Etienne Millon, Nathan Rebours, and Clément Pascutto interfaced [elliptic curves for OCaml](https://github.com/mirage/fiat/) (with the goal of being usable with MirageOS).
 
 The goal of mirage-crypto-ec was: develop elliptic curve support for OCaml & MirageOS quickly - which didn't leave much time to focus on performance. As time goes by, our mileage varies, and we're keen to use fewer resources - and thus fewer CPU time and a smaller memory footprint is preferable.