[ forgesworn/ring-sig ] docs: mark the c*x non-constant-time limitation at the code site (ring-sig #2) (#23)
The security review flagged the closing response's challenge*privatekey BigInt
multiply as the sole non-constant-time op touching the secret. It is inherent to
JS BigInt (a real fix needs a constant-time scalar backend; a scalar blind was
considered and rejected as not clearly effective). Mark it precisely at both
sites (sag.ts/lsag.ts) and sharpen the SECURITY.md note so the accepted limitation
is explicit and traceable, rather than papered over with a risky partial fix.
Co-authored-by: TheCryptoDonkey <
[email protected]>
https://github.com/forgesworn/ring-sig/commit/9baa6a2943ff71b660bbab179883059113be307c