[Cryptography] recently published documentation by Intel/ARM wrt constant-time instructions
Markus Reichelt
ml at mareichelt.com
Fri Aug 26 11:04:31 EDT 2022
Hi,
in case you don't already know, I'd like to share this gem, quoting
Eric Biggers (h/t Adam Langley) [1]:
"Intel and ARM recently published documentation that says that no
instructions are guaranteed to be constant-time with respect to their
data operands, unless a "data independent timing" flag in the
IA32_UARCH_MISC_CTL register (Intel) or DIT register (arm64) is set:
* https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html
* https://developer.arm.com/documentation/ddi0595/2021-06/AArch64-Registers/DIT--Data-Independent-Timing
This is a major problem for crypto code, which needs to be
constant-time, especially with respect to keys. And since this is a
CPU issue, it affects all code running on the CPU. While neither
company is treating this as a security disclosure, to me this looks
exactly like a CPU vulnerability."
[1] https://lkml.org/lkml/2022/8/25/1372
[2] alt link for [1] : https://lore.kernel.org/lkml/YwgCrqutxmX0W72r@gmail.com/
More information about the cryptography
mailing list