[Cryptography] Compiler optimization side channel
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Aug 29 01:12:40 EDT 2024
Patrick Chkoreff <pc at fexl.com> writes:
>Every time I hear discussion of wiping memory, constant time execution, and
>side channels, it makes me wonder: How much hostile software are you
>actually running on your machine along with your crypto applications? Do you
>really have processes running on the same hardware that are actively timing
>your operations and spying on cache lines and swapped pages?
This goes back to something I mentioned in the Bollocks talk, side channels
are about number 17,700 (or whatever number it was I made up) in the priority
of attacks that need to be dealt with. I've been unable to identify any case
of this ever occurring, for the reasons covered in the talk. You get a
conference paper, a cool acronym, and some news coverage, that's it.
However it does have a cost, unfortunately one that's almost impossible to put
a figure to. Every time someone comes up with a new attack there's a new
mitigation put in place, usually advertised as having a single-digit cost.
However all these low(ish)-overhead mitigations add up, but the total depends
on whether it's an older CPU with the mitigation done in software or a newer
one with hardware mitigation and therefore less impact. Let's say, for the
sake of argument, that overall you've got about a 20% performance loss
compared to a CPU with no mitigations for all the various issues in place.
International Energy Agency figures show that data centres "accounted for
around 330 Mt CO2 equivalent in 2020"
(https://www.iea.org/energy-system/buildings/data-centres-and-data-transmission-networks),
this was long before AI came along so let's round it up to 500Mt. That's
purely for data centres, I can't find any figure for how they compare to
global desktop and laptop usage, various figures claim low billions but
they're going to use a lot less energy than server-grade CPUs so let's roll it
into the 0.5Gt for data centres.
Using the 20% figure, that means 0.1Gt or 100Mt of CO2-equivalent is being
produced to mitigate an attack type that, as far as we can tell, no-one uses.
So mitigations for attacks that don't exist have a price, and that could be
100 million tons of CO2-equivalent carbon footprint.
(If anyone has more concrete figures I'd love to see them, and possibly use
them in the talk).
Peter.
More information about the cryptography
mailing list