Potential timing side-channel attack on EC-ElGamal

[InfoHunter]

Decryption time seems to be proportional to the plaintext size, this may cause timing side-channel leakage of the plaintext. Can we improve it?

For example, for decryption of the product, I tried 3 different sizes: EC_ELGAMAL_decrypt(C500,800) result: 400000, cost: 0.906000ms EC_ELGAMAL_decrypt(C500,80000) result: 40000000, cost: 19.644000ms EC_ELGAMAL_decrypt(C500,800000) result: 400000000, cost: 193.503000ms

Originally posted by @KaneX in https://github.com/BabaSSL/BabaSSL/pull/135#discussion_r774568272

[wa5i]

This problem is difficult to improve, because on the one hand, we pursue fast decryption performance, and on the other hand, we can only rely on hash tables to improve performance. If we want to prevent time-side channel attacks, we can only converge all decryption times to the maximum or average value. In this case, the performance will be very poor, so that it cannot promote business use, it is recommended to improve the problem of time side channel attack from the upper layer of the business architecture.