[Cryptography] [FORGED] Attackers will always win, and it's getting worse!

[Jerry Leichter]

>> So ... a compiler specialized for crypto software, which let you specify every last detail of the code generated, would buy you little.  That's not where the problems are.
> 
> We want constant-time execution in order to avoid leaking information.
> Turning off optimizations is a gross way to achieve that -- it relies on
> the assumption that the non-optimized code will execute in constant
> time, which may or may not be true. If we want a fraction of the code to
> be free of side channels, it would be much better to tell it to the
> compiler. Maybe have something like "#pragma constant-time-required" in
> the source code. Of course, compilers today do not understand such
> instructions, and we are thus stuck with approximations like turning off
> optimization or writing in assembly. But requesting support for constant
> time segments seems like a reasonable feature request to compiler
> developers.
You're missing my point.  If the *hardware* won't guarantee anything about instruction execution time ... what the compiler possibly do?  Do you assume a compiler that targets a particular exact mask and microcode level of a particular chip?
                                                        -- Jerry