[Cryptography] recently published documentation by Intel/ARM wrt constant-time instructions

Markus Reichelt ml at mareichelt.com
Fri Aug 26 11:04:31 EDT 2022


Hi, 

in case you don't already know, I'd like to share this gem, quoting
Eric Biggers (h/t Adam Langley) [1]:

"Intel and ARM recently published documentation that says that no
instructions are guaranteed to be constant-time with respect to their
data operands, unless a "data independent timing" flag in the
IA32_UARCH_MISC_CTL register (Intel) or DIT register (arm64) is set:

* https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html
* https://developer.arm.com/documentation/ddi0595/2021-06/AArch64-Registers/DIT--Data-Independent-Timing

This is a major problem for crypto code, which needs to be
constant-time, especially with respect to keys.  And since this is a
CPU issue, it affects all code running on the CPU.  While neither
company is treating this as a security disclosure, to me this looks
exactly like a CPU vulnerability."


[1] https://lkml.org/lkml/2022/8/25/1372
[2] alt link for [1] : https://lore.kernel.org/lkml/YwgCrqutxmX0W72r@gmail.com/


More information about the cryptography mailing list