[Cryptography] Spectre again (was Re: RISC-V branch predicting)

[Arnold Reinhold]

On Tuesday 13 Feb 2018 10:03 Nemo explained:

> But bounding what a serious attacker might do with Spectre is effectively
> impossible. Which is why all of the mitigations are focused on the BTB,
> not the in-kernel JITs and interpreters.

This gets back to the original topic of this thread. Why have a branch target buffer in the first place if most of the benefit of the hardware trying to determine likely branch direction can be accomplished in software development through the efforts of the programmer, compiler and profiler? Market pressures and, many suspect, state actors, are pushing commercial CPU designs to ever greater complexity that makes successful security analysis nearly impossible.The cleverest cryptographic code can be rendered useless if one cannot trust the hardware it runs on. Open hardware may be the last best hope of restoring a rigorous basis for cryptographic security. 

Traditionally an instruction set architecture was the sole contract between hardware and software. Any hardware that met an ISA spec would run any software generated for that spec. Evidently we need more for cryptography to work. Given the relatively early state of the RISC-V project, it would seem dialog between the crypto community and the RISC-V designers is appropriate and needed, to negotiate one or more hardware design profiles that would make demonstrable security possible again. 

Arnold Reinhold