[Cryptography] Compiler optimization side channel
Phillip Hallam-Baker
phill at hallambaker.com
Tue Aug 27 23:35:05 EDT 2024
On Tue, Aug 27, 2024 at 2:27 PM Christian Huitema <huitema at huitema.net>
wrote:
>
> On 8/25/2024 6:28 PM, Jerry Leichter wrote:
> >> ...
> > Yes, but what exactly does "don't optimize this code" mean? There are
> typically many ways to express the same source statements in specific
> machine instructions, and which ones are "optimized" is in the eye of the
> beholder.
>
> Yes. It might work in practice, but it seems to be essentially a
> negative statement, "don't do this behavior that I know is harmful". And
> you are right that just "not optimizing" does not provide any guarantee
> about side effects of the default behavior.
>
I don't think we need to go beyond 'don't perform code
substitution/elimination' or perhaps 'don't do any optimization that would
confuse the debugger'.
Since I am working in C#, I can play a few tricks such as using code
reflection to get at private variables and zero them on exit. Or I could
simply substitute my own RedInt class for BigInt with appropriate handling.
> > The original message to which I was responding actually gives two
> examples of what you *really* need to be able to say: "Don't leave copies
> of this data around," and "this loop needs to run in constant time."
> Neither of these corresponds in any direct way to "don't optimize this
> code." In fact, generating a constant-time loop is highly instruction set
> - and sometimes particular implementation of that instruction set -
> specific. There is no particular reason to think that the non-optimized
> output from the compiler - whatever that might mean - will always be
> constant-time, no matter what the source code says.
>
> Yes indeed. We want to say something like, "compiler, please, try to
> execute the following statements in constant time, whatever the
> variations in cache and branches." And yes, it is something better done
> in the compiler itself than by trying to write code with magical
> properties.
I don't think we need to try constant time because I don't think any
compiler is capable of guaranteeing that.
I never trusted the Montgomery ladder, I prefer blinding. Though some folk
seem to not get the fact that whether you add a random value to mask a
private key or split it into two, it's the same thing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20240827/fe6b1554/attachment.htm>
More information about the cryptography
mailing list