Hacker News new | past | comments | ask | show | jobs | submit login

The worst case is that today you promise secrecy for, e.g., the MUL inputs, and then realize in several years that you really want to make a faster variable-time multiplier; the commitment would then force you to add a new MULABORT instruction rather than violating the secrecy of the MUL instruction. Of course, if you don't make any commitments, then programmers have no choice but to rely on observations of CPU behavior; many of those programmers will assume constant-time MUL, and if you switch to variable-time MUL then you will be breaking cryptographic security.

I disagree with this and think he has it backwards; the majority of applications will benefit from early-out multiplication, and it's only crypto that wants constant-time. Also, MUL has never been constant-time on x86, ever since the 8086. My suggestion would be to add a control register bit that puts the CPU into a mode where the guarantees needed for crypto are true. All that software would need to do is set the bit before performing sensitive operations, and clear it afterwards.




I believe that's his point; I read that section not as "please make these instructions constant-time" and more as "please document whether these instructions are constant-time, so that we can rely on them being constant-time". If an instruction is constant time but then a new chipset comes out with early-exit semantics for multiplication, everything previously compiled for that architecture is suddenly vulnerable to timing attacks when it wasn't previously. He's just looking for a commitment for the leak and timing semantics of various instructions, even if the commitment is "you cannot rely upon this being constant-time".




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: