Tweet
Originally posted by F.Ultra
View Post
-
What exactly do you mean? Integer addition now leaks timing information based on the values added? The shifts are static so there's no info there, and surely XOR is still constant... Right?
-
ADD, SHL, SHR, and XOR are all on the list of instructions that Intel says are guaranteed to be constant time only if DOITM is enabled. so without this mitigation enabled, they might not be constant-time.Originally posted by microcode View PostComment
-
Surely shifts of the same shift distance (the only kind in a ChaCha round) are constant time when the only difference is the register content... And XOR?Originally posted by hotaru View Post
How did this happen?Comment
-
caching results based on operands would be enough to invalidate the timing. a superscalar cpu doing Tomasulo's algorithm has enough information available to do this for large blocks of cryptographic code. normally TA wouldn't look at the values of registers, but doing so could give it a huge boost.Originally posted by microcode View Post
processors aren't scalar anymore, so scalar assumptions don't matter.Last edited by Developer12; 03 February 2023, 07:26 PM.Comment
-
Surely it would be more expensive to cache basic integer operations based on register content, than to compute them... Plus, there are no branches nor any variable fetches, so the branch predictor and instruction scheduler have no reason to look at the values... I'll look into it, but the explanations you've given don't make sense to me.Originally posted by Developer12 View Post
The operands are the same every quarter round anyway, there is no information leaked from that.Comment
Comment