Tom Kent wrote:
For example, there have been timing attacks against SHA-2/HMAC where the difference in the amount of time processing takes can leak information about the secret key. https://dl.acm.org/doi/10.1007/978-3-030-89915-8_2
This is an attack against a hardware implementation of HMAC-SHA2-256. The paper doesn't seem to be freely available, but I _think_ that it relies on data leaks via changes in power consumption. This doesn't seem applicable to software implementations, and I wasn't able to find attacks against software HMAC-SHA2-256. (Admittedly, after a not that exhaustive search attempt.) Either way, if you think that not having a SHA-2 implementation in Boost will increase the resistance of the collective body of C++ code against side channel attacks, I can only say that I believe you are very much mistaken.