[Cryptography] [FORGED] Attackers will always win, and it's getting worse!
Jerry Leichter
leichter at lrw.com
Wed Jul 12 17:34:03 EDT 2017
>> So ... a compiler specialized for crypto software, which let you specify every last detail of the code generated, would buy you little. That's not where the problems are.
>
> We want constant-time execution in order to avoid leaking information.
> Turning off optimizations is a gross way to achieve that -- it relies on
> the assumption that the non-optimized code will execute in constant
> time, which may or may not be true. If we want a fraction of the code to
> be free of side channels, it would be much better to tell it to the
> compiler. Maybe have something like "#pragma constant-time-required" in
> the source code. Of course, compilers today do not understand such
> instructions, and we are thus stuck with approximations like turning off
> optimization or writing in assembly. But requesting support for constant
> time segments seems like a reasonable feature request to compiler
> developers.
You're missing my point. If the *hardware* won't guarantee anything about instruction execution time ... what the compiler possibly do? Do you assume a compiler that targets a particular exact mask and microcode level of a particular chip?
-- Jerry
More information about the cryptography
mailing list