From 49b6c7e6ba4f7ace89892407d29e53ea994a98ad Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Mon, 16 Oct 2023 11:11:37 -0600
Subject: [PATCH] README.md: add notes about timing variability (#373)

Notes that the modpow implementation is not constant-time, but timing
variability is masked using random blinding.
---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index 66d6f84..1225101 100644
--- a/README.md
+++ b/README.md
@@ -72,6 +72,10 @@ only one minor finding which has since been addressed.
 
 See the [open security issues] on our issue tracker for other known problems.
 
+Notably the implementation of [modular exponentiation is not constant time],
+but timing variability is masked using random blinding, a commonly used
+technique.
+
 ## Minimum Supported Rust Version (MSRV)
 
 All crates in this repository support Rust 1.65 or higher.
@@ -112,3 +116,4 @@ dual licensed as above, without any additional terms or conditions.
 [RustCrypto]: https://github.com/RustCrypto/
 [audit]: https://www.opentech.fund/results/security-safety-audits/deltachat/
 [open security issues]: https://github.com/RustCrypto/RSA/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity
+[modular exponentiation is not constant time]: https://github.com/RustCrypto/RSA/issues/19