[Cryptography] Compiler optimization side channel

Jerry Leichter leichter at lrw.com
Wed Aug 28 17:18:16 EDT 2024 

> Every time I hear discussion of wiping memory, constant time execution, and side channels, it makes me wonder:  How much hostile software are you actually running on your machine along with your crypto applications?  Do you really have processes running on the same hardware that are actively timing your operations and spying on cache lines and swapped pages?
> 
> Now maybe some of these concerns are about side channels that leak out of the machine, such as network interfaces, power supplies, or even EM radiation.  But it doesn't seem that secrets lying around in memory or cache would matter there.  Perhaps constant time execution might matter in theory, but isn't that a very subtle effect from outside the machine?
> 
> So it sounds like the primary threat being addressed is the presence of "snoop-ware" running on the same machine as the sensitive crypto operations.  Is that correct?  I mean, for example, are we talking about maybe a compromised version of GIMP sniffing your cache lines while you're working with a private key?
Indeed, we're back to Peter Gutmann's slide deck "Why Quantum Cryptanalysis is Bollocks."  Yes, these are attacks - but how important/significant are they?  The fact is that new zero days - in *everything* - are reported every day.  Watching cache lines to figure out encryption keys is hardly the lowest-cost way to steal information.  As far as I know, *none* of these techniques has ever been seen "in the wild."

It's not that applying some reasonable amount of effort to avoid at least the more obvious issues isn't worth it.  But in the grand scheme of things, this is not where your loses are likely to be, and not where you get the most extra security in return for you development efforts and other costs (like reduced performance).

In the meanwhile, the whole point of cryptography is to deliver the decrypted data for other processing!  The same leakage applies to the decrypted data - but *no one* is even considering writing the code that manipulates the decrypted data with anything like the intense effort applied to the crypto code.

Now, there's an interesting point here:  The decrypted data is often quite large, and leaking just a small number of bits *usually* doesn't much matter.  (Leaking just the name of an acquisition target could be worth tens of millions, so it's no *always*!)  Keys concentrate a large amount of security value in a small number of bits.  That's really why we spend so much time worrying about attacks that can extract a few bits here and there over a period of time.

(Not serious)  Maybe it's time to listen to all the whiners who came up with "super secure" cryptosystems based on million-bit keys?  :-)

                                                        -- Jerry

More information about the cryptography mailing list