[Cryptography] RISC-V isn't the answer
Henry Baker
hbaker1 at pipeline.com
Mon Jan 22 09:30:05 EST 2018
At 06:22 PM 1/21/2018, Tony Arcieri wrote:
>On Sun, Jan 21, 2018 at 6:05 AM, Henry Baker <hbaker1 at pipeline.com> wrote:
>Ok, so I've reviewed a number of discussions of
>the RISC-V architecture, and my conclusion is that
>RISC-V isn't going to be a "silver bullet" for
>high security & privacy applications.
>
>Why?
>
>Although RISC-V was a "clean sheet" design in
>2011 (?), a lot of water has gone under the
>bridge since then (cough, Snowden, cough),
>
>So FUD?
>
>I don't believe that RISC-V adequately
>addresses all of the side-channel issues that
>have been discovered in the mean time.
>
>Which sidechannel issues? If you're alluding to Meltdown and Spectre, RISC-V isn't vulnerable to either, because no RISC-V core supports speculative execution yet (the closest thing is the BOOMv2 core, which only does out-of-order execution)
Timing side-channels, at least.
RISC-V caches aren't partitioned, or controllable in any other way to defeat timing attacks from one process against another process running on the same core.
As I said before, every plaintext compression attack can be translated into a timing attack against a processor with a cache, since the cache "compresses" the memory reference stream. RISC-V does nothing to address (!) this issue.
I'm not interested in squashing bugs like Meltdown and Spectre one by one -- it's far too expensive. We need to squash entire classes of bugs with one swat, and this means learning from experiences like plaintext compression attacks.
More information about the cryptography
mailing list