[Cryptography] Compiler optimization side channel
Phillip Hallam-Baker
phill at hallambaker.com
Fri Aug 23 14:06:26 EDT 2024
So, I was looking at some RSA key generation code, just because and I
suddenly had this thought. I have all these registers here with values that
can be used to factor the modulus. So I had better zero them out before I
leave.
// Declare all registers which may contain values leaking the secret
BigInteger e, d, n,
dp = BigInteger.Zero, dq = BigInteger.Zero, qInv =
BigInteger.Zero;
// Create reduced versions of p and q. We do this so that we can
// force erasure at the end
var p1 = p - 1;
var q1 = q - 1;
try { /* stuff */ }
finally {
// Destroy all local copies of the variables
p.Erase();
q.Erase();
dp.Erase();
dq.Erase();
qInv.Erase();
d.Erase();
}
Where Erase (this ref BigInteger x) is an extension method that reaches in
to the structure and erases the value _bits.
Which looked all well and good. But then I thought to myself, what if the
compiler gets hold of that data and decides to optimize the arithmetic
creating temporary variables that it leaves hanging about?
I don't think the C# compiler can do that quite yet because there isn't a
way to declare the BigInteger classes meet the laws of the arithmetic
operators. So even though I can write a = b+c-b, the compiler can't
optimize that away to a = b.
But not too far-fetched to think it might one day in the future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20240823/291c33a9/attachment.htm>
More information about the cryptography
mailing list