[Cryptography] [FORGED] Attackers will always win, and it's getting worse!
Christian Huitema
huitema at huitema.net
Wed Jul 12 13:56:25 EDT 2017
On 7/12/2017 9:15 AM, Jerry Leichter wrote:
> So ... a compiler specialized for crypto software, which let you specify every last detail of the code generated, would buy you little. That's not where the problems are.
We want constant-time execution in order to avoid leaking information.
Turning off optimizations is a gross way to achieve that -- it relies on
the assumption that the non-optimized code will execute in constant
time, which may or may not be true. If we want a fraction of the code to
be free of side channels, it would be much better to tell it to the
compiler. Maybe have something like "#pragma constant-time-required" in
the source code. Of course, compilers today do not understand such
instructions, and we are thus stuck with approximations like turning off
optimization or writing in assembly. But requesting support for constant
time segments seems like a reasonable feature request to compiler
developers.
--
Christian Huitema
More information about the cryptography
mailing list