[Cryptography] Speculation considered harmful?

Nico Williams nico at cryptonector.com
Sun Jan 7 18:38:24 EST 2018


On Sat, Jan 06, 2018 at 05:49:06AM +0000, Howard Chu wrote:
> Henry Baker wrote:
> 
> >So-called "two phase commit protocols" attempt to gather all the information and resources necessary to *complete* a transaction prior to "committing" the transaction.  If the transaction can't be completed, than it must need to be "rolled back" -- a process of *undoing* any actions that were done during the gathering phase.
> >
> >There's only one slight problem: you can't unring a bell: you can't "unlearn"/"forget" a bit that you learned during the gathering phase.  Or more precisely, you can't force a party to the transaction to forget such bits.
> >
> >I don't have a clean solution to this "forgetting" problem, and I doubt that anyone else does, either.
> 
> Eh. In the context of Spectre, the CPU knows which cachelines it loaded in a
> speculative fetch. It should simply mark them invalid when unrolling the
> speculation.

But it would then have to reload whatever they had contained before.
Eviction is still a side-effect.


More information about the cryptography mailing list