[Cryptography] Compiler optimization side channel

[Bertrand Mollinier Toublet]

> On Aug 23, 2024, at 11:06 AM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> 
> So, I was looking at some RSA key generation code, just because and I suddenly had this thought. I have all these registers here with values that can be used to factor the modulus. So I had better zero them out before I leave.
> 
[snip]
> 
> Where Erase (this ref BigInteger x) is an extension method that reaches in to the structure and erases the value _bits.
> 
> 
> Which looked all well and good. But then I thought to myself, what if the compiler gets hold of that data and decides to optimize the arithmetic creating temporary variables that it leaves hanging about?
> 
> I don't think the C# compiler can do that quite yet because there isn't a way to declare the BigInteger classes meet the laws of the arithmetic operators. So even though I can write a = b+c-b, the compiler can't optimize that away to a = b.
> 
> But not too far-fetched to think it might one day in the future.
> 
If I’m not mistaken, countless pixels have been blackened (whitened, I assume, for those using dark mode) on this very topic since… time immemorial? I believe it is understood that on a general purpose CPU, the C and C++ compilers will aggressively attempt to optimize away any “side-effect free” attempt at zeroing memory storage (this is me also acknowledging I can’t speak for the C# compiler, though my experiences with the “lower-level” C and C++ compilers makes me generally wary on the whole topic).

As in: when you generate an RSA key with OpenSSL on your Windows/Mac/Linux box, all kinds of traces of that computation are likely left around after the fact.

It is only in better controlled environments (special purpose processors along with potentially purpose-modified compilers and/or direct assembly coding) that there is any hope to “clean up” after oneself after a cryptographic operation of any kind.
--  
Bertrand