Originally posted by F.Ultra
View Post
Announcement
Collapse
No announcement yet.
Linux Developers Evaluating New "DOITM" Security Mitigation For Latest Intel CPUs
Collapse
X
-
Originally posted by microcode View Post
What exactly do you mean? Integer addition now leaks timing information based on the values added? The shifts are static so there's no info there, and surely XOR is still constant... Right?
Comment
-
Originally posted by hotaru View PostADD, SHL, SHR, and XOR are all on the list of instructions that Intel says are guaranteed to be constant time only if DOITM is enabled. so without this mitigation enabled, they might not be constant-time
How did this happen?
Comment
-
Originally posted by microcode View Post
Surely shifts of the same shift distance (the only kind in a ChaCha round) are constant time when the only difference is the register content... And XOR?
How did this happen?
processors aren't scalar anymore, so scalar assumptions don't matter.Last edited by Developer12; 03 February 2023, 07:26 PM.
Comment
-
Originally posted by Developer12 View Post
caching results based on operands would be enough to invalidate the timing. a superscalar cpu doing Tomasulo's algorithm has enough information available to do this for large blocks of cryptographic code. normally TA wouldn't look at the values of registers, but doing so could give it a huge boost.
processors aren't scalar anymore, so scalar assumptions don't matter.
The operands are the same every quarter round anyway, there is no information leaked from that.
Comment
Comment