cryptographic 1972 parnas on the criteria software
play

Cryptographic 1972 Parnas On the criteria software engineering, to - PowerPoint PPT Presentation

1 2 Cryptographic 1972 Parnas On the criteria software engineering, to be used in decomposing part 1 systems into modules: Daniel J. Bernstein We propose instead that one begins with a list of difficult design decisions or This


  1. 3 4 Not so easy: Timing attacks How typical software checks 16-byte authenticator: 1970s: TENEX operating system simple for (i = 0;i < 16;++i) compares user-supplied string complex. if (x[i] != y[i]) return against secret password return 1; one character at a time, rs. stopping at first difference: this: • AAAAAA vs. FRIEND : stop at 1. • FAAAAA vs. FRIEND : stop at 2. checking • FRAAAA vs. FRIEND : stop at 3. but Attacker sees comparison time, should deduces position of difference. rticularly A few hundred tries reveal secret password.

  2. 4 5 Not so easy: Timing attacks How typical software checks 16-byte authenticator: 1970s: TENEX operating system for (i = 0;i < 16;++i) compares user-supplied string if (x[i] != y[i]) return 0; against secret password return 1; one character at a time, stopping at first difference: • AAAAAA vs. FRIEND : stop at 1. • FAAAAA vs. FRIEND : stop at 2. • FRAAAA vs. FRIEND : stop at 3. Attacker sees comparison time, deduces position of difference. A few hundred tries reveal secret password.

  3. 4 5 Not so easy: Timing attacks How typical software checks 16-byte authenticator: 1970s: TENEX operating system for (i = 0;i < 16;++i) compares user-supplied string if (x[i] != y[i]) return 0; against secret password return 1; one character at a time, stopping at first difference: Fix, eliminating information flow from secrets to timings: • AAAAAA vs. FRIEND : stop at 1. diff = 0; • FAAAAA vs. FRIEND : stop at 2. for (i = 0;i < 16;++i) • FRAAAA vs. FRIEND : stop at 3. diff |= x[i] ^ y[i]; Attacker sees comparison time, return 1 & ((diff-1) >> 8); deduces position of difference. Notice that the language A few hundred tries makes the wrong thing simple reveal secret password. and the right thing complex.

  4. 4 5 easy: Timing attacks How typical software checks Language 16-byte authenticator: “right” is TENEX operating system for (i = 0;i < 16;++i) res user-supplied string So mistak if (x[i] != y[i]) return 0; against secret password return 1; character at a time, stopping at first difference: Fix, eliminating information flow from secrets to timings: AAAAAA vs. FRIEND : stop at 1. diff = 0; FAAAAA vs. FRIEND : stop at 2. for (i = 0;i < 16;++i) FRAAAA vs. FRIEND : stop at 3. diff |= x[i] ^ y[i]; er sees comparison time, return 1 & ((diff-1) >> 8); deduces position of difference. Notice that the language hundred tries makes the wrong thing simple secret password. and the right thing complex.

  5. 4 5 Timing attacks How typical software checks Language designer’s 16-byte authenticator: “right” is too weak operating system for (i = 0;i < 16;++i) user-supplied string So mistakes continue if (x[i] != y[i]) return 0; password return 1; a time, difference: Fix, eliminating information flow from secrets to timings: FRIEND : stop at 1. diff = 0; FRIEND : stop at 2. for (i = 0;i < 16;++i) FRIEND : stop at 3. diff |= x[i] ^ y[i]; comparison time, return 1 & ((diff-1) >> 8); of difference. Notice that the language tries makes the wrong thing simple password. and the right thing complex.

  6. 4 5 attacks How typical software checks Language designer’s notion of 16-byte authenticator: “right” is too weak for securit system for (i = 0;i < 16;++i) string So mistakes continue to happ if (x[i] != y[i]) return 0; return 1; difference: Fix, eliminating information flow from secrets to timings: stop at 1. diff = 0; stop at 2. for (i = 0;i < 16;++i) stop at 3. diff |= x[i] ^ y[i]; time, return 1 & ((diff-1) >> 8); difference. Notice that the language makes the wrong thing simple and the right thing complex.

  7. 5 6 How typical software checks Language designer’s notion of 16-byte authenticator: “right” is too weak for security. for (i = 0;i < 16;++i) So mistakes continue to happen. if (x[i] != y[i]) return 0; return 1; Fix, eliminating information flow from secrets to timings: diff = 0; for (i = 0;i < 16;++i) diff |= x[i] ^ y[i]; return 1 & ((diff-1) >> 8); Notice that the language makes the wrong thing simple and the right thing complex.

  8. 5 6 How typical software checks Language designer’s notion of 16-byte authenticator: “right” is too weak for security. for (i = 0;i < 16;++i) So mistakes continue to happen. if (x[i] != y[i]) return 0; One of many examples, return 1; part of the reference software for Fix, eliminating information flow one of the CAESAR candidates: from secrets to timings: /* compare the tag */ diff = 0; int i; for (i = 0;i < 16;++i) for(i = 0;i < CRYPTO_ABYTES;i++) diff |= x[i] ^ y[i]; if(tag[i] != c[(*mlen) + i]){ return 1 & ((diff-1) >> 8); return RETURN_TAG_NO_MATCH; Notice that the language } makes the wrong thing simple return RETURN_SUCCESS; and the right thing complex.

  9. 5 6 ypical software checks Language designer’s notion of Do timing yte authenticator: “right” is too weak for security. Objection: (i = 0;i < 16;++i) So mistakes continue to happen. (x[i] != y[i]) return 0; One of many examples, return 1; part of the reference software for eliminating information flow one of the CAESAR candidates: secrets to timings: /* compare the tag */ = 0; int i; (i = 0;i < 16;++i) for(i = 0;i < CRYPTO_ABYTES;i++) diff |= x[i] ^ y[i]; if(tag[i] != c[(*mlen) + i]){ return 1 & ((diff-1) >> 8); return RETURN_TAG_NO_MATCH; that the language } the wrong thing simple return RETURN_SUCCESS; the right thing complex.

  10. 5 6 ware checks Language designer’s notion of Do timing attacks authenticator: “right” is too weak for security. Objection: “Timings 16;++i) So mistakes continue to happen. y[i]) return 0; One of many examples, part of the reference software for information flow one of the CAESAR candidates: timings: /* compare the tag */ int i; 16;++i) for(i = 0;i < CRYPTO_ABYTES;i++) ^ y[i]; if(tag[i] != c[(*mlen) + i]){ ((diff-1) >> 8); return RETURN_TAG_NO_MATCH; language } wrong thing simple return RETURN_SUCCESS; thing complex.

  11. 5 6 checks Language designer’s notion of Do timing attacks really work? “right” is too weak for security. Objection: “Timings are noisy! So mistakes continue to happen. return 0; One of many examples, part of the reference software for rmation flow one of the CAESAR candidates: /* compare the tag */ int i; for(i = 0;i < CRYPTO_ABYTES;i++) if(tag[i] != c[(*mlen) + i]){ >> 8); return RETURN_TAG_NO_MATCH; } imple return RETURN_SUCCESS; complex.

  12. 6 7 Language designer’s notion of Do timing attacks really work? “right” is too weak for security. Objection: “Timings are noisy!” So mistakes continue to happen. One of many examples, part of the reference software for one of the CAESAR candidates: /* compare the tag */ int i; for(i = 0;i < CRYPTO_ABYTES;i++) if(tag[i] != c[(*mlen) + i]){ return RETURN_TAG_NO_MATCH; } return RETURN_SUCCESS;

  13. 6 7 Language designer’s notion of Do timing attacks really work? “right” is too weak for security. Objection: “Timings are noisy!” So mistakes continue to happen. Answer #1: One of many examples, Does noise stop all attacks? part of the reference software for To guarantee security, defender one of the CAESAR candidates: must block all information flow. /* compare the tag */ int i; for(i = 0;i < CRYPTO_ABYTES;i++) if(tag[i] != c[(*mlen) + i]){ return RETURN_TAG_NO_MATCH; } return RETURN_SUCCESS;

  14. 6 7 Language designer’s notion of Do timing attacks really work? “right” is too weak for security. Objection: “Timings are noisy!” So mistakes continue to happen. Answer #1: One of many examples, Does noise stop all attacks? part of the reference software for To guarantee security, defender one of the CAESAR candidates: must block all information flow. Answer #2: Attacker uses /* compare the tag */ statistics to eliminate noise. int i; for(i = 0;i < CRYPTO_ABYTES;i++) if(tag[i] != c[(*mlen) + i]){ return RETURN_TAG_NO_MATCH; } return RETURN_SUCCESS;

  15. 6 7 Language designer’s notion of Do timing attacks really work? “right” is too weak for security. Objection: “Timings are noisy!” So mistakes continue to happen. Answer #1: One of many examples, Does noise stop all attacks? part of the reference software for To guarantee security, defender one of the CAESAR candidates: must block all information flow. Answer #2: Attacker uses /* compare the tag */ statistics to eliminate noise. int i; for(i = 0;i < CRYPTO_ABYTES;i++) Answer #3, what the if(tag[i] != c[(*mlen) + i]){ 1970s attackers actually did: return RETURN_TAG_NO_MATCH; Cross page boundary, } inducing page faults, return RETURN_SUCCESS; to amplify timing signal.

  16. 6 7 Language designer’s notion of Do timing attacks really work? Defenders “right” is too weak for security. Objection: “Timings are noisy!” Some of mistakes continue to happen. Answer #1: 1996 Ko of many examples, Does noise stop all attacks? attacks on of the reference software for To guarantee security, defender Briefly mentioned the CAESAR candidates: must block all information flow. Kocher and Answer #2: Attacker uses Schneier–W compare the tag */ statistics to eliminate noise. secret arra affect timing 0;i < CRYPTO_ABYTES;i++) Answer #3, what the if(tag[i] != c[(*mlen) + i]){ 1970s attackers actually did: 2002 Page, return RETURN_TAG_NO_MATCH; Cross page boundary, Suzaki–Shigeri–Miy inducing page faults, timing attacks RETURN_SUCCESS; to amplify timing signal.

  17. 6 7 designer’s notion of Do timing attacks really work? Defenders don’t lea eak for security. Objection: “Timings are noisy!” Some of the literature: continue to happen. Answer #1: 1996 Kocher pointed examples, Does noise stop all attacks? attacks on cryptographi reference software for To guarantee security, defender Briefly mentioned CAESAR candidates: must block all information flow. Kocher and by 1998 Answer #2: Attacker uses Schneier–Wagner–Hall: tag */ statistics to eliminate noise. secret array indices affect timing via cache CRYPTO_ABYTES;i++) Answer #3, what the c[(*mlen) + i]){ 1970s attackers actually did: 2002 Page, 2003 Tsuno RETURN_TAG_NO_MATCH; Cross page boundary, Suzaki–Shigeri–Miy inducing page faults, timing attacks on RETURN_SUCCESS; to amplify timing signal.

  18. 6 7 notion of Do timing attacks really work? Defenders don’t learn security. Objection: “Timings are noisy!” Some of the literature: happen. Answer #1: 1996 Kocher pointed out timing Does noise stop all attacks? attacks on cryptographic key are for To guarantee security, defender Briefly mentioned by candidates: must block all information flow. Kocher and by 1998 Kelsey– Answer #2: Attacker uses Schneier–Wagner–Hall: statistics to eliminate noise. secret array indices can affect timing via cache misse CRYPTO_ABYTES;i++) Answer #3, what the + i]){ 1970s attackers actually did: 2002 Page, 2003 Tsunoo–Sa RETURN_TAG_NO_MATCH; Cross page boundary, Suzaki–Shigeri–Miyauchi: inducing page faults, timing attacks on DES. to amplify timing signal.

  19. 7 8 Do timing attacks really work? Defenders don’t learn Objection: “Timings are noisy!” Some of the literature: Answer #1: 1996 Kocher pointed out timing Does noise stop all attacks? attacks on cryptographic key bits. To guarantee security, defender Briefly mentioned by must block all information flow. Kocher and by 1998 Kelsey– Answer #2: Attacker uses Schneier–Wagner–Hall: statistics to eliminate noise. secret array indices can affect timing via cache misses. Answer #3, what the 1970s attackers actually did: 2002 Page, 2003 Tsunoo–Saito– Cross page boundary, Suzaki–Shigeri–Miyauchi: inducing page faults, timing attacks on DES. to amplify timing signal.

  20. 7 8 timing attacks really work? Defenders don’t learn “Guaranteed” load entire Objection: “Timings are noisy!” Some of the literature: er #1: 1996 Kocher pointed out timing noise stop all attacks? attacks on cryptographic key bits. guarantee security, defender Briefly mentioned by block all information flow. Kocher and by 1998 Kelsey– er #2: Attacker uses Schneier–Wagner–Hall: statistics to eliminate noise. secret array indices can affect timing via cache misses. er #3, what the attackers actually did: 2002 Page, 2003 Tsunoo–Saito– page boundary, Suzaki–Shigeri–Miyauchi: inducing page faults, timing attacks on DES. amplify timing signal.

  21. 7 8 attacks really work? Defenders don’t learn “Guaranteed” counterme load entire table into Timings are noisy!” Some of the literature: 1996 Kocher pointed out timing all attacks? attacks on cryptographic key bits. security, defender Briefly mentioned by information flow. Kocher and by 1998 Kelsey– ttacker uses Schneier–Wagner–Hall: eliminate noise. secret array indices can affect timing via cache misses. what the actually did: 2002 Page, 2003 Tsunoo–Saito– oundary, Suzaki–Shigeri–Miyauchi: aults, timing attacks on DES. timing signal.

  22. 7 8 ork? Defenders don’t learn “Guaranteed” countermeasur load entire table into cache. noisy!” Some of the literature: 1996 Kocher pointed out timing attacks? attacks on cryptographic key bits. defender Briefly mentioned by flow. Kocher and by 1998 Kelsey– Schneier–Wagner–Hall: noise. secret array indices can affect timing via cache misses. did: 2002 Page, 2003 Tsunoo–Saito– Suzaki–Shigeri–Miyauchi: timing attacks on DES.

  23. 8 9 Defenders don’t learn “Guaranteed” countermeasure: load entire table into cache. Some of the literature: 1996 Kocher pointed out timing attacks on cryptographic key bits. Briefly mentioned by Kocher and by 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, 2003 Tsunoo–Saito– Suzaki–Shigeri–Miyauchi: timing attacks on DES.

  24. 8 9 Defenders don’t learn “Guaranteed” countermeasure: load entire table into cache. Some of the literature: 2004.11/2005.04 Bernstein: 1996 Kocher pointed out timing Timing attacks on AES. attacks on cryptographic key bits. Countermeasure isn’t safe; Briefly mentioned by e.g., secret array indices can affect Kocher and by 1998 Kelsey– timing via cache-bank collisions. Schneier–Wagner–Hall: What is safe: kill all data flow secret array indices can from secrets to array indices. affect timing via cache misses. 2002 Page, 2003 Tsunoo–Saito– Suzaki–Shigeri–Miyauchi: timing attacks on DES.

  25. 8 9 Defenders don’t learn “Guaranteed” countermeasure: load entire table into cache. Some of the literature: 2004.11/2005.04 Bernstein: 1996 Kocher pointed out timing Timing attacks on AES. attacks on cryptographic key bits. Countermeasure isn’t safe; Briefly mentioned by e.g., secret array indices can affect Kocher and by 1998 Kelsey– timing via cache-bank collisions. Schneier–Wagner–Hall: What is safe: kill all data flow secret array indices can from secrets to array indices. affect timing via cache misses. 2005 Tromer–Osvik–Shamir: 2002 Page, 2003 Tsunoo–Saito– 65ms to steal Linux AES key Suzaki–Shigeri–Miyauchi: used for hard-disk encryption. timing attacks on DES.

  26. 8 9 Defenders don’t learn “Guaranteed” countermeasure: Intel recomme load entire table into cache. OpenSSL of the literature: countermeasure: 2004.11/2005.04 Bernstein: Kocher pointed out timing from kno Timing attacks on AES. attacks on cryptographic key bits. Countermeasure isn’t safe; mentioned by e.g., secret array indices can affect cher and by 1998 Kelsey– timing via cache-bank collisions. Schneier–Wagner–Hall: What is safe: kill all data flow array indices can from secrets to array indices. timing via cache misses. 2005 Tromer–Osvik–Shamir: age, 2003 Tsunoo–Saito– 65ms to steal Linux AES key Suzaki–Shigeri–Miyauchi: used for hard-disk encryption. attacks on DES.

  27. 8 9 learn “Guaranteed” countermeasure: Intel recommends, load entire table into cache. OpenSSL integrates, literature: countermeasure: alw 2004.11/2005.04 Bernstein: ointed out timing from known lines of Timing attacks on AES. cryptographic key bits. Countermeasure isn’t safe; mentioned by e.g., secret array indices can affect 1998 Kelsey– timing via cache-bank collisions. agner–Hall: What is safe: kill all data flow indices can from secrets to array indices. cache misses. 2005 Tromer–Osvik–Shamir: Tsunoo–Saito– 65ms to steal Linux AES key Suzaki–Shigeri–Miyauchi: used for hard-disk encryption. on DES.

  28. 8 9 “Guaranteed” countermeasure: Intel recommends, and load entire table into cache. OpenSSL integrates, cheaper countermeasure: always loading 2004.11/2005.04 Bernstein: timing from known lines of cache. Timing attacks on AES. ey bits. Countermeasure isn’t safe; e.g., secret array indices can affect Kelsey– timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. misses. 2005 Tromer–Osvik–Shamir: o–Saito– 65ms to steal Linux AES key used for hard-disk encryption.

  29. 9 10 “Guaranteed” countermeasure: Intel recommends, and load entire table into cache. OpenSSL integrates, cheaper countermeasure: always loading 2004.11/2005.04 Bernstein: from known lines of cache. Timing attacks on AES. Countermeasure isn’t safe; e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2005 Tromer–Osvik–Shamir: 65ms to steal Linux AES key used for hard-disk encryption.

  30. 9 10 “Guaranteed” countermeasure: Intel recommends, and load entire table into cache. OpenSSL integrates, cheaper countermeasure: always loading 2004.11/2005.04 Bernstein: from known lines of cache. Timing attacks on AES. Countermeasure isn’t safe; 2013 Bernstein–Schwabe e.g., secret array indices can affect “A word of warning”: timing via cache-bank collisions. This countermeasure isn’t safe. What is safe: kill all data flow Variable-time lab experiment. from secrets to array indices. Same issues described in 2004. 2005 Tromer–Osvik–Shamir: 65ms to steal Linux AES key used for hard-disk encryption.

  31. 9 10 “Guaranteed” countermeasure: Intel recommends, and load entire table into cache. OpenSSL integrates, cheaper countermeasure: always loading 2004.11/2005.04 Bernstein: from known lines of cache. Timing attacks on AES. Countermeasure isn’t safe; 2013 Bernstein–Schwabe e.g., secret array indices can affect “A word of warning”: timing via cache-bank collisions. This countermeasure isn’t safe. What is safe: kill all data flow Variable-time lab experiment. from secrets to array indices. Same issues described in 2004. 2005 Tromer–Osvik–Shamir: 2016 Yarom–Genkin–Heninger 65ms to steal Linux AES key “CacheBleed” steals RSA secret used for hard-disk encryption. key via timings of OpenSSL.

  32. 9 10 ranteed” countermeasure: Intel recommends, and 2008 RF entire table into cache. OpenSSL integrates, cheaper Layer Securit countermeasure: always loading Version 1.2”: 2004.11/2005.04 Bernstein: from known lines of cache. small timing Timing attacks on AES. performance Countermeasure isn’t safe; 2013 Bernstein–Schwabe extent on secret array indices can affect “A word of warning”: fragment, via cache-bank collisions. This countermeasure isn’t safe. be large is safe: kill all data flow Variable-time lab experiment. due to the secrets to array indices. Same issues described in 2004. existing MA romer–Osvik–Shamir: 2016 Yarom–Genkin–Heninger of the timing to steal Linux AES key “CacheBleed” steals RSA secret for hard-disk encryption. key via timings of OpenSSL.

  33. 9 10 countermeasure: Intel recommends, and 2008 RFC 5246 “The into cache. OpenSSL integrates, cheaper Layer Security (TLS) countermeasure: always loading Version 1.2”: “This Bernstein: from known lines of cache. small timing channel, on AES. performance depends isn’t safe; 2013 Bernstein–Schwabe extent on the size indices can affect “A word of warning”: fragment, but it is cache-bank collisions. This countermeasure isn’t safe. be large enough to kill all data flow Variable-time lab experiment. due to the large blo array indices. Same issues described in 2004. existing MACs and romer–Osvik–Shamir: 2016 Yarom–Genkin–Heninger of the timing signal.” Linux AES key “CacheBleed” steals RSA secret rd-disk encryption. key via timings of OpenSSL.

  34. 9 10 asure: Intel recommends, and 2008 RFC 5246 “The Transp cache. OpenSSL integrates, cheaper Layer Security (TLS) Protocol, countermeasure: always loading Version 1.2”: “This leaves a Bernstein: from known lines of cache. small timing channel, since MA performance depends to some safe; 2013 Bernstein–Schwabe extent on the size of the data can affect “A word of warning”: fragment, but it is not believed collisions. This countermeasure isn’t safe. be large enough to be exploitable flow Variable-time lab experiment. due to the large block size of indices. Same issues described in 2004. existing MACs and the small romer–Osvik–Shamir: 2016 Yarom–Genkin–Heninger of the timing signal.” ey “CacheBleed” steals RSA secret encryption. key via timings of OpenSSL.

  35. 10 11 Intel recommends, and 2008 RFC 5246 “The Transport OpenSSL integrates, cheaper Layer Security (TLS) Protocol, countermeasure: always loading Version 1.2”: “This leaves a from known lines of cache. small timing channel, since MAC performance depends to some 2013 Bernstein–Schwabe extent on the size of the data “A word of warning”: fragment, but it is not believed to This countermeasure isn’t safe. be large enough to be exploitable, Variable-time lab experiment. due to the large block size of Same issues described in 2004. existing MACs and the small size 2016 Yarom–Genkin–Heninger of the timing signal.” “CacheBleed” steals RSA secret key via timings of OpenSSL.

  36. 10 11 Intel recommends, and 2008 RFC 5246 “The Transport OpenSSL integrates, cheaper Layer Security (TLS) Protocol, countermeasure: always loading Version 1.2”: “This leaves a from known lines of cache. small timing channel, since MAC performance depends to some 2013 Bernstein–Schwabe extent on the size of the data “A word of warning”: fragment, but it is not believed to This countermeasure isn’t safe. be large enough to be exploitable, Variable-time lab experiment. due to the large block size of Same issues described in 2004. existing MACs and the small size 2016 Yarom–Genkin–Heninger of the timing signal.” “CacheBleed” steals RSA secret 2013 AlFardan–Paterson “Lucky key via timings of OpenSSL. Thirteen: breaking the TLS and DTLS record protocols”: exploit these timings; steal plaintext.

  37. 10 11 recommends, and 2008 RFC 5246 “The Transport How to write enSSL integrates, cheaper Layer Security (TLS) Protocol, If possible, countermeasure: always loading Version 1.2”: “This leaves a to control known lines of cache. small timing channel, since MAC Look for performance depends to some Bernstein–Schwabe identifying extent on the size of the data rd of warning”: “Division fragment, but it is not believed to countermeasure isn’t safe. when the be large enough to be exploitable, riable-time lab experiment. completes, due to the large block size of issues described in 2004. cycles re existing MACs and the small size arom–Genkin–Heninger values of of the timing signal.” “CacheBleed” steals RSA secret Measure 2013 AlFardan–Paterson “Lucky timings of OpenSSL. trusting Thirteen: breaking the TLS and DTLS record protocols”: exploit these timings; steal plaintext.

  38. 10 11 s, and 2008 RFC 5246 “The Transport How to write constant-time integrates, cheaper Layer Security (TLS) Protocol, If possible, write co always loading Version 1.2”: “This leaves a to control instruction lines of cache. small timing channel, since MAC Look for documentation performance depends to some Bernstein–Schwabe identifying variabilit extent on the size of the data rning”: “Division operations fragment, but it is not believed to countermeasure isn’t safe. when the divide op be large enough to be exploitable, lab experiment. completes, with the due to the large block size of described in 2004. cycles required dep existing MACs and the small size rom–Genkin–Heninger values of the input of the timing signal.” steals RSA secret Measure cycles rather 2013 AlFardan–Paterson “Lucky of OpenSSL. trusting CPU documentation. Thirteen: breaking the TLS and DTLS record protocols”: exploit these timings; steal plaintext.

  39. 10 11 2008 RFC 5246 “The Transport How to write constant-time cheaper Layer Security (TLS) Protocol, If possible, write code in asm loading Version 1.2”: “This leaves a to control instruction selection. cache. small timing channel, since MAC Look for documentation performance depends to some identifying variability: e.g., extent on the size of the data “Division operations terminate fragment, but it is not believed to safe. when the divide operation be large enough to be exploitable, eriment. completes, with the number due to the large block size of 2004. cycles required dependent on existing MACs and the small size rom–Genkin–Heninger values of the input operands.” of the timing signal.” secret Measure cycles rather than 2013 AlFardan–Paterson “Lucky enSSL. trusting CPU documentation. Thirteen: breaking the TLS and DTLS record protocols”: exploit these timings; steal plaintext.

  40. 11 12 2008 RFC 5246 “The Transport How to write constant-time code Layer Security (TLS) Protocol, If possible, write code in asm Version 1.2”: “This leaves a to control instruction selection. small timing channel, since MAC Look for documentation performance depends to some identifying variability: e.g., extent on the size of the data “Division operations terminate fragment, but it is not believed to when the divide operation be large enough to be exploitable, completes, with the number of due to the large block size of cycles required dependent on the existing MACs and the small size values of the input operands.” of the timing signal.” Measure cycles rather than 2013 AlFardan–Paterson “Lucky trusting CPU documentation. Thirteen: breaking the TLS and DTLS record protocols”: exploit these timings; steal plaintext.

  41. 11 12 RFC 5246 “The Transport How to write constant-time code Cut off all Security (TLS) Protocol, secrets to If possible, write code in asm ersion 1.2”: “This leaves a to control instruction selection. Cut off all timing channel, since MAC secrets to Look for documentation rmance depends to some identifying variability: e.g., Cut off all on the size of the data “Division operations terminate secrets to fragment, but it is not believed to when the divide operation rge enough to be exploitable, Prefer logic completes, with the number of the large block size of Prefer vecto cycles required dependent on the existing MACs and the small size values of the input operands.” timing signal.” Watch o variable-time Measure cycles rather than AlFardan–Paterson “Lucky Cortex-M3 trusting CPU documentation. Thirteen: breaking the TLS and record protocols”: exploit timings; steal plaintext.

  42. 11 12 “The Transport How to write constant-time code Cut off all data flo (TLS) Protocol, secrets to branch conditions. If possible, write code in asm his leaves a to control instruction selection. Cut off all data flo channel, since MAC secrets to array indices. Look for documentation ends to some identifying variability: e.g., Cut off all data flo size of the data “Division operations terminate secrets to shift/rotate is not believed to when the divide operation to be exploitable, Prefer logic instructions. completes, with the number of block size of Prefer vector instructions. cycles required dependent on the and the small size values of the input operands.” signal.” Watch out for CPUs variable-time multipliers: Measure cycles rather than rdan–Paterson “Lucky Cortex-M3 and most trusting CPU documentation. reaking the TLS and rotocols”: exploit steal plaintext.

  43. 11 12 ransport How to write constant-time code Cut off all data flow from Protocol, secrets to branch conditions. If possible, write code in asm a to control instruction selection. Cut off all data flow from since MAC secrets to array indices. Look for documentation some identifying variability: e.g., Cut off all data flow from data “Division operations terminate secrets to shift/rotate distances. elieved to when the divide operation exploitable, Prefer logic instructions. completes, with the number of of Prefer vector instructions. cycles required dependent on the all size values of the input operands.” Watch out for CPUs with variable-time multipliers: e.g., Measure cycles rather than “Lucky Cortex-M3 and most PowerPCs. trusting CPU documentation. TLS and exploit plaintext.

  44. 12 13 How to write constant-time code Cut off all data flow from secrets to branch conditions. If possible, write code in asm to control instruction selection. Cut off all data flow from secrets to array indices. Look for documentation identifying variability: e.g., Cut off all data flow from “Division operations terminate secrets to shift/rotate distances. when the divide operation Prefer logic instructions. completes, with the number of Prefer vector instructions. cycles required dependent on the values of the input operands.” Watch out for CPUs with variable-time multipliers: e.g., Measure cycles rather than Cortex-M3 and most PowerPCs. trusting CPU documentation.

  45. 12 13 to write constant-time code Cut off all data flow from Suppose secrets to branch conditions. const-time ossible, write code in asm control instruction selection. Cut off all data flow from Suppose secrets to array indices. has “ secret for documentation identifying variability: e.g., Cut off all data flow from Easy for “Division operations terminate secrets to shift/rotate distances. that secret the divide operation by const-time Prefer logic instructions. completes, with the number of Proofs of Prefer vector instructions. required dependent on the (uninitialized of the input operands.” Watch out for CPUs with ctgrind, variable-time multipliers: e.g., Measure cycles rather than Cortex-M3 and most PowerPCs. trusting CPU documentation.

  46. 12 13 constant-time code Cut off all data flow from Suppose we know secrets to branch conditions. const-time machine code in asm instruction selection. Cut off all data flow from Suppose programming secrets to array indices. has “ secret ” types. cumentation riability: e.g., Cut off all data flow from Easy for compiler to erations terminate secrets to shift/rotate distances. that secret types operation by const-time instructions. Prefer logic instructions. the number of Proofs of concept: Prefer vector instructions. dependent on the (uninitialized data input operands.” Watch out for CPUs with ctgrind, ct-verif, Flo variable-time multipliers: e.g., rather than Cortex-M3 and most PowerPCs. cumentation.

  47. 12 13 constant-time code Cut off all data flow from Suppose we know (some) secrets to branch conditions. const-time machine instructions. asm selection. Cut off all data flow from Suppose programming language secrets to array indices. has “ secret ” types. e.g., Cut off all data flow from Easy for compiler to guarantee terminate secrets to shift/rotate distances. that secret types are used by const-time instructions. Prefer logic instructions. er of Proofs of concept: Valgrind Prefer vector instructions. on the (uninitialized data as secret erands.” Watch out for CPUs with ctgrind, ct-verif, FlowTracker. variable-time multipliers: e.g., than Cortex-M3 and most PowerPCs. cumentation.

  48. 13 14 Cut off all data flow from Suppose we know (some) secrets to branch conditions. const-time machine instructions. Cut off all data flow from Suppose programming language secrets to array indices. has “ secret ” types. Cut off all data flow from Easy for compiler to guarantee secrets to shift/rotate distances. that secret types are used only by const-time instructions. Prefer logic instructions. Proofs of concept: Valgrind Prefer vector instructions. (uninitialized data as secret ), Watch out for CPUs with ctgrind, ct-verif, FlowTracker. variable-time multipliers: e.g., Cortex-M3 and most PowerPCs.

  49. 13 14 Cut off all data flow from Suppose we know (some) secrets to branch conditions. const-time machine instructions. Cut off all data flow from Suppose programming language secrets to array indices. has “ secret ” types. Cut off all data flow from Easy for compiler to guarantee secrets to shift/rotate distances. that secret types are used only by const-time instructions. Prefer logic instructions. Proofs of concept: Valgrind Prefer vector instructions. (uninitialized data as secret ), Watch out for CPUs with ctgrind, ct-verif, FlowTracker. variable-time multipliers: e.g., How can we implement, e.g., Cortex-M3 and most PowerPCs. sorting of a secret array?

  50. 13 14 all data flow from Suppose we know (some) Eliminating to branch conditions. const-time machine instructions. Let’s try all data flow from Suppose programming language Assume to array indices. has “ secret ” types. all data flow from Easy for compiler to guarantee to shift/rotate distances. that secret types are used only by const-time instructions. logic instructions. Proofs of concept: Valgrind vector instructions. (uninitialized data as secret ), out for CPUs with ctgrind, ct-verif, FlowTracker. riable-time multipliers: e.g., How can we implement, e.g., rtex-M3 and most PowerPCs. sorting of a secret array?

  51. 13 14 flow from Suppose we know (some) Eliminating branches ranch conditions. const-time machine instructions. Let’s try sorting 2 flow from Suppose programming language Assume int32 is secret indices. has “ secret ” types. flow from Easy for compiler to guarantee shift/rotate distances. that secret types are used only by const-time instructions. instructions. Proofs of concept: Valgrind instructions. (uninitialized data as secret ), CPUs with ctgrind, ct-verif, FlowTracker. multipliers: e.g., How can we implement, e.g., most PowerPCs. sorting of a secret array?

  52. 13 14 Suppose we know (some) Eliminating branches conditions. const-time machine instructions. Let’s try sorting 2 integers. Suppose programming language Assume int32 is secret . has “ secret ” types. Easy for compiler to guarantee distances. that secret types are used only by const-time instructions. Proofs of concept: Valgrind (uninitialized data as secret ), ctgrind, ct-verif, FlowTracker. e.g., How can we implement, e.g., erPCs. sorting of a secret array?

  53. 14 15 Suppose we know (some) Eliminating branches const-time machine instructions. Let’s try sorting 2 integers. Suppose programming language Assume int32 is secret . has “ secret ” types. Easy for compiler to guarantee that secret types are used only by const-time instructions. Proofs of concept: Valgrind (uninitialized data as secret ), ctgrind, ct-verif, FlowTracker. How can we implement, e.g., sorting of a secret array?

  54. 14 15 Suppose we know (some) Eliminating branches const-time machine instructions. Let’s try sorting 2 integers. Suppose programming language Assume int32 is secret . has “ secret ” types. void sort2(int32 *x) Easy for compiler to guarantee { int32 x0 = x[0]; that secret types are used only int32 x1 = x[1]; by const-time instructions. if (x1 < x0) { x[0] = x1; Proofs of concept: Valgrind x[1] = x0; (uninitialized data as secret ), } ctgrind, ct-verif, FlowTracker. } How can we implement, e.g., sorting of a secret array?

  55. 14 15 Suppose we know (some) Eliminating branches const-time machine instructions. Let’s try sorting 2 integers. Suppose programming language Assume int32 is secret . has “ secret ” types. void sort2(int32 *x) Easy for compiler to guarantee { int32 x0 = x[0]; that secret types are used only int32 x1 = x[1]; by const-time instructions. if (x1 < x0) { x[0] = x1; Proofs of concept: Valgrind x[1] = x0; (uninitialized data as secret ), } ctgrind, ct-verif, FlowTracker. } How can we implement, e.g., Unacceptable: not constant-time. sorting of a secret array?

  56. 14 15 ose we know (some) Eliminating branches void sort2(int32 const-time machine instructions. { int32 Let’s try sorting 2 integers. int32 ose programming language Assume int32 is secret . if (x1 secret ” types. void sort2(int32 *x) x[0] for compiler to guarantee { int32 x0 = x[0]; x[1] secret types are used only int32 x1 = x[1]; } else const-time instructions. if (x1 < x0) { x[0] x[0] = x1; x[1] of concept: Valgrind x[1] = x0; } (uninitialized data as secret ), } } ctgrind, ct-verif, FlowTracker. } can we implement, e.g., Unacceptable: not constant-time. of a secret array?

  57. 14 15 w (some) Eliminating branches void sort2(int32 machine instructions. { int32 x0 = x[0]; Let’s try sorting 2 integers. int32 x1 = x[1]; rogramming language Assume int32 is secret . if (x1 < x0) { ypes. void sort2(int32 *x) x[0] = x1; compiler to guarantee { int32 x0 = x[0]; x[1] = x0; es are used only int32 x1 = x[1]; } else { instructions. if (x1 < x0) { x[0] = x0; x[0] = x1; x[1] = x1; concept: Valgrind x[1] = x0; } data as secret ), } } FlowTracker. } implement, e.g., Unacceptable: not constant-time. secret array?

  58. 14 15 Eliminating branches void sort2(int32 *x) instructions. { int32 x0 = x[0]; Let’s try sorting 2 integers. int32 x1 = x[1]; nguage Assume int32 is secret . if (x1 < x0) { void sort2(int32 *x) x[0] = x1; rantee { int32 x0 = x[0]; x[1] = x0; used only int32 x1 = x[1]; } else { instructions. if (x1 < x0) { x[0] = x0; x[0] = x1; x[1] = x1; d x[1] = x0; } secret ), } } ker. } e.g., Unacceptable: not constant-time.

  59. 15 16 Eliminating branches void sort2(int32 *x) { int32 x0 = x[0]; Let’s try sorting 2 integers. int32 x1 = x[1]; Assume int32 is secret . if (x1 < x0) { void sort2(int32 *x) x[0] = x1; { int32 x0 = x[0]; x[1] = x0; int32 x1 = x[1]; } else { if (x1 < x0) { x[0] = x0; x[0] = x1; x[1] = x1; x[1] = x0; } } } } Unacceptable: not constant-time.

  60. 15 16 Eliminating branches void sort2(int32 *x) { int32 x0 = x[0]; Let’s try sorting 2 integers. int32 x1 = x[1]; Assume int32 is secret . if (x1 < x0) { void sort2(int32 *x) x[0] = x1; { int32 x0 = x[0]; x[1] = x0; int32 x1 = x[1]; } else { if (x1 < x0) { x[0] = x0; x[0] = x1; x[1] = x1; x[1] = x0; } } } } Safe compiler won’t allow this. Unacceptable: not constant-time. Branch timing leaks secrets.

  61. 15 16 Eliminating branches void sort2(int32 *x) void sort2(int32 { int32 x0 = x[0]; { int32 try sorting 2 integers. int32 x1 = x[1]; int32 Assume int32 is secret . if (x1 < x0) { int32 sort2(int32 *x) x[0] = x1; x[0] = x0 = x[0]; x[1] = x0; x[1] = x1 = x[1]; } else { } (x1 < x0) { x[0] = x0; x[0] = x1; x[1] = x1; x[1] = x0; } } Safe compiler won’t allow this. Unacceptable: not constant-time. Branch timing leaks secrets.

  62. 15 16 ranches void sort2(int32 *x) void sort2(int32 { int32 x0 = x[0]; { int32 x0 = x[0]; 2 integers. int32 x1 = x[1]; int32 x1 = x[1]; is secret . if (x1 < x0) { int32 c = (x1 < *x) x[0] = x1; x[0] = (c ? x1 x[0]; x[1] = x0; x[1] = (c ? x0 x[1]; } else { } x[0] = x0; x[1] = x1; } } Safe compiler won’t allow this. not constant-time. Branch timing leaks secrets.

  63. 15 16 void sort2(int32 *x) void sort2(int32 *x) { int32 x0 = x[0]; { int32 x0 = x[0]; rs. int32 x1 = x[1]; int32 x1 = x[1]; if (x1 < x0) { int32 c = (x1 < x0); x[0] = x1; x[0] = (c ? x1 : x0); x[1] = x0; x[1] = (c ? x0 : x1); } else { } x[0] = x0; x[1] = x1; } } Safe compiler won’t allow this. constant-time. Branch timing leaks secrets.

  64. 16 17 void sort2(int32 *x) void sort2(int32 *x) { int32 x0 = x[0]; { int32 x0 = x[0]; int32 x1 = x[1]; int32 x1 = x[1]; if (x1 < x0) { int32 c = (x1 < x0); x[0] = x1; x[0] = (c ? x1 : x0); x[1] = x0; x[1] = (c ? x0 : x1); } else { } x[0] = x0; x[1] = x1; } } Safe compiler won’t allow this. Branch timing leaks secrets.

  65. 16 17 void sort2(int32 *x) void sort2(int32 *x) { int32 x0 = x[0]; { int32 x0 = x[0]; int32 x1 = x[1]; int32 x1 = x[1]; if (x1 < x0) { int32 c = (x1 < x0); x[0] = x1; x[0] = (c ? x1 : x0); x[1] = x0; x[1] = (c ? x0 : x1); } else { } x[0] = x0; Syntax is different but “ ?: ” x[1] = x1; is a branch by definition: } if (x1 < x0) x[0] = x1; } else x[0] = x0; Safe compiler won’t allow this. if (x1 < x0) x[1] = x0; Branch timing leaks secrets. else x[1] = x1;

  66. 16 17 sort2(int32 *x) void sort2(int32 *x) void sort2(int32 x0 = x[0]; { int32 x0 = x[0]; { int32 x1 = x[1]; int32 x1 = x[1]; int32 (x1 < x0) { int32 c = (x1 < x0); int32 x[0] = x1; x[0] = (c ? x1 : x0); x[c] = x[1] = x0; x[1] = (c ? x0 : x1); x[1 - else { } } x[0] = x0; Syntax is different but “ ?: ” x[1] = x1; is a branch by definition: if (x1 < x0) x[0] = x1; else x[0] = x0; compiler won’t allow this. if (x1 < x0) x[1] = x0; Branch timing leaks secrets. else x[1] = x1;

  67. 16 17 *x) void sort2(int32 *x) void sort2(int32 x[0]; { int32 x0 = x[0]; { int32 x0 = x[0]; x[1]; int32 x1 = x[1]; int32 x1 = x[1]; int32 c = (x1 < x0); int32 c = (x1 < x[0] = (c ? x1 : x0); x[c] = x0; x[1] = (c ? x0 : x1); x[1 - c] = x1; } } Syntax is different but “ ?: ” is a branch by definition: if (x1 < x0) x[0] = x1; else x[0] = x0; on’t allow this. if (x1 < x0) x[1] = x0; leaks secrets. else x[1] = x1;

  68. 16 17 void sort2(int32 *x) void sort2(int32 *x) { int32 x0 = x[0]; { int32 x0 = x[0]; int32 x1 = x[1]; int32 x1 = x[1]; int32 c = (x1 < x0); int32 c = (x1 < x0); x[0] = (c ? x1 : x0); x[c] = x0; x[1] = (c ? x0 : x1); x[1 - c] = x1; } } Syntax is different but “ ?: ” is a branch by definition: if (x1 < x0) x[0] = x1; else x[0] = x0; this. if (x1 < x0) x[1] = x0; secrets. else x[1] = x1;

  69. 17 18 void sort2(int32 *x) void sort2(int32 *x) { int32 x0 = x[0]; { int32 x0 = x[0]; int32 x1 = x[1]; int32 x1 = x[1]; int32 c = (x1 < x0); int32 c = (x1 < x0); x[0] = (c ? x1 : x0); x[c] = x0; x[1] = (c ? x0 : x1); x[1 - c] = x1; } } Syntax is different but “ ?: ” is a branch by definition: if (x1 < x0) x[0] = x1; else x[0] = x0; if (x1 < x0) x[1] = x0; else x[1] = x1;

  70. 17 18 void sort2(int32 *x) void sort2(int32 *x) { int32 x0 = x[0]; { int32 x0 = x[0]; int32 x1 = x[1]; int32 x1 = x[1]; int32 c = (x1 < x0); int32 c = (x1 < x0); x[0] = (c ? x1 : x0); x[c] = x0; x[1] = (c ? x0 : x1); x[1 - c] = x1; } } Syntax is different but “ ?: ” Safe compiler won’t allow this: is a branch by definition: won’t allow secret data to be used as an array index. if (x1 < x0) x[0] = x1; Cache timing is not constant: else x[0] = x0; see earlier attack examples. if (x1 < x0) x[1] = x0; else x[1] = x1;

  71. 17 18 sort2(int32 *x) void sort2(int32 *x) void sort2(int32 x0 = x[0]; { int32 x0 = x[0]; { int32 x1 = x[1]; int32 x1 = x[1]; int32 c = (x1 < x0); int32 c = (x1 < x0); int32 = (c ? x1 : x0); x[c] = x0; c *= x1 = (c ? x0 : x1); x[1 - c] = x1; x[0] = } x[1] = } is different but “ ?: ” Safe compiler won’t allow this: ranch by definition: won’t allow secret data to be used as an array index. (x1 < x0) x[0] = x1; Cache timing is not constant: x[0] = x0; see earlier attack examples. (x1 < x0) x[1] = x0; x[1] = x1;

  72. 17 18 *x) void sort2(int32 *x) void sort2(int32 x[0]; { int32 x0 = x[0]; { int32 x0 = x[0]; x[1]; int32 x1 = x[1]; int32 x1 = x[1]; < x0); int32 c = (x1 < x0); int32 c = (x1 < : x0); x[c] = x0; c *= x1 - x0; : x1); x[1 - c] = x1; x[0] = x0 + c; } x[1] = x1 - c; } different but “ ?: ” Safe compiler won’t allow this: efinition: won’t allow secret data to be used as an array index. x[0] = x1; Cache timing is not constant: x0; see earlier attack examples. x[1] = x0; x1;

  73. 17 18 void sort2(int32 *x) void sort2(int32 *x) { int32 x0 = x[0]; { int32 x0 = x[0]; int32 x1 = x[1]; int32 x1 = x[1]; int32 c = (x1 < x0); int32 c = (x1 < x0); x[c] = x0; c *= x1 - x0; x[1 - c] = x1; x[0] = x0 + c; } x[1] = x1 - c; } ” Safe compiler won’t allow this: won’t allow secret data to be used as an array index. x1; Cache timing is not constant: see earlier attack examples. x0;

  74. 18 19 void sort2(int32 *x) void sort2(int32 *x) { int32 x0 = x[0]; { int32 x0 = x[0]; int32 x1 = x[1]; int32 x1 = x[1]; int32 c = (x1 < x0); int32 c = (x1 < x0); x[c] = x0; c *= x1 - x0; x[1 - c] = x1; x[0] = x0 + c; } x[1] = x1 - c; } Safe compiler won’t allow this: won’t allow secret data to be used as an array index. Cache timing is not constant: see earlier attack examples.

  75. 18 19 void sort2(int32 *x) void sort2(int32 *x) { int32 x0 = x[0]; { int32 x0 = x[0]; int32 x1 = x[1]; int32 x1 = x[1]; int32 c = (x1 < x0); int32 c = (x1 < x0); x[c] = x0; c *= x1 - x0; x[1 - c] = x1; x[0] = x0 + c; } x[1] = x1 - c; } Safe compiler won’t allow this: won’t allow secret data Does safe compiler allow to be used as an array index. multiplication of secrets? Cache timing is not constant: Recall that multiplication see earlier attack examples. takes variable time on, e.g., Cortex-M3 and most PowerPCs.

  76. 18 19 Will want sort2(int32 *x) void sort2(int32 *x) for fast p x0 = x[0]; { int32 x0 = x[0]; but let’s x1 = x[1]; int32 x1 = x[1]; for this so c = (x1 < x0); int32 c = (x1 < x0); = x0; c *= x1 - x0; void sort2(int32 c] = x1; x[0] = x0 + c; { int32 x[1] = x1 - c; int32 } compiler won’t allow this: int32 allow secret data Does safe compiler allow c &= x1 used as an array index. multiplication of secrets? x[0] = x[1] = timing is not constant: Recall that multiplication } rlier attack examples. takes variable time on, e.g., Cortex-M3 and most PowerPCs.

  77. 18 19 Will want to handle *x) void sort2(int32 *x) for fast prime-field x[0]; { int32 x0 = x[0]; but let’s dodge the x[1]; int32 x1 = x[1]; for this sorting code: < x0); int32 c = (x1 < x0); c *= x1 - x0; void sort2(int32 x[0] = x0 + c; { int32 x0 = x[0]; x[1] = x1 - c; int32 x1 = x[1]; } on’t allow this: int32 c = -(x1 secret data Does safe compiler allow c &= x1 ^ x0; array index. multiplication of secrets? x[0] = x0 ^ c; x[1] = x1 ^ c; not constant: Recall that multiplication } examples. takes variable time on, e.g., Cortex-M3 and most PowerPCs.

  78. 18 19 Will want to handle this issue void sort2(int32 *x) for fast prime-field ECC etc., { int32 x0 = x[0]; but let’s dodge the issue int32 x1 = x[1]; for this sorting code: int32 c = (x1 < x0); c *= x1 - x0; void sort2(int32 *x) x[0] = x0 + c; { int32 x0 = x[0]; x[1] = x1 - c; int32 x1 = x[1]; } this: int32 c = -(x1 < x0); Does safe compiler allow c &= x1 ^ x0; index. multiplication of secrets? x[0] = x0 ^ c; x[1] = x1 ^ c; constant: Recall that multiplication } examples. takes variable time on, e.g., Cortex-M3 and most PowerPCs.

  79. 19 20 Will want to handle this issue void sort2(int32 *x) for fast prime-field ECC etc., { int32 x0 = x[0]; but let’s dodge the issue int32 x1 = x[1]; for this sorting code: int32 c = (x1 < x0); c *= x1 - x0; void sort2(int32 *x) x[0] = x0 + c; { int32 x0 = x[0]; x[1] = x1 - c; int32 x1 = x[1]; } int32 c = -(x1 < x0); Does safe compiler allow c &= x1 ^ x0; multiplication of secrets? x[0] = x0 ^ c; x[1] = x1 ^ c; Recall that multiplication } takes variable time on, e.g., Cortex-M3 and most PowerPCs.

  80. 19 20 Will want to handle this issue 1. Possible sort2(int32 *x) for fast prime-field ECC etc., (also for x0 = x[0]; but let’s dodge the issue C standa x1 = x[1]; for this sorting code: int32 as c = (x1 < x0); “undefined” x1 - x0; void sort2(int32 *x) Real CPU = x0 + c; { int32 x0 = x[0]; but C compiler = x1 - c; int32 x1 = x[1]; int32 c = -(x1 < x0); safe compiler allow c &= x1 ^ x0; multiplication of secrets? x[0] = x0 ^ c; x[1] = x1 ^ c; that multiplication } variable time on, e.g., rtex-M3 and most PowerPCs.

  81. 19 20 Will want to handle this issue 1. Possible correctness *x) for fast prime-field ECC etc., (also for previous co x[0]; but let’s dodge the issue C standard does not x[1]; for this sorting code: int32 as twos-complement; < x0); “undefined” behavio void sort2(int32 *x) Real CPU uses twos-complement { int32 x0 = x[0]; but C compiler can int32 x1 = x[1]; int32 c = -(x1 < x0); compiler allow c &= x1 ^ x0; secrets? x[0] = x0 ^ c; x[1] = x1 ^ c; multiplication } time on, e.g., most PowerPCs.

  82. 19 20 Will want to handle this issue 1. Possible correctness problem for fast prime-field ECC etc., (also for previous code): but let’s dodge the issue C standard does not define for this sorting code: int32 as twos-complement; “undefined” behavior on overflo void sort2(int32 *x) Real CPU uses twos-complement { int32 x0 = x[0]; but C compiler can screw this int32 x1 = x[1]; int32 c = -(x1 < x0); c &= x1 ^ x0; x[0] = x0 ^ c; x[1] = x1 ^ c; } e.g., erPCs.

  83. 20 21 Will want to handle this issue 1. Possible correctness problems for fast prime-field ECC etc., (also for previous code): but let’s dodge the issue C standard does not define for this sorting code: int32 as twos-complement; says “undefined” behavior on overflow. void sort2(int32 *x) Real CPU uses twos-complement { int32 x0 = x[0]; but C compiler can screw this up . int32 x1 = x[1]; int32 c = -(x1 < x0); c &= x1 ^ x0; x[0] = x0 ^ c; x[1] = x1 ^ c; }

  84. 20 21 Will want to handle this issue 1. Possible correctness problems for fast prime-field ECC etc., (also for previous code): but let’s dodge the issue C standard does not define for this sorting code: int32 as twos-complement; says “undefined” behavior on overflow. void sort2(int32 *x) Real CPU uses twos-complement { int32 x0 = x[0]; but C compiler can screw this up . int32 x1 = x[1]; Fix: use gcc -fwrapv . int32 c = -(x1 < x0); c &= x1 ^ x0; x[0] = x0 ^ c; x[1] = x1 ^ c; }

  85. 20 21 Will want to handle this issue 1. Possible correctness problems for fast prime-field ECC etc., (also for previous code): but let’s dodge the issue C standard does not define for this sorting code: int32 as twos-complement; says “undefined” behavior on overflow. void sort2(int32 *x) Real CPU uses twos-complement { int32 x0 = x[0]; but C compiler can screw this up . int32 x1 = x[1]; Fix: use gcc -fwrapv . int32 c = -(x1 < x0); c &= x1 ^ x0; 2. Does safe compiler allow x[0] = x0 ^ c; “ x1 < x0 ” for secrets? x[1] = x1 ^ c; What do we do if it doesn’t? }

  86. 20 21 Will want to handle this issue 1. Possible correctness problems for fast prime-field ECC etc., (also for previous code): but let’s dodge the issue C standard does not define for this sorting code: int32 as twos-complement; says “undefined” behavior on overflow. void sort2(int32 *x) Real CPU uses twos-complement { int32 x0 = x[0]; but C compiler can screw this up . int32 x1 = x[1]; Fix: use gcc -fwrapv . int32 c = -(x1 < x0); c &= x1 ^ x0; 2. Does safe compiler allow x[0] = x0 ^ c; “ x1 < x0 ” for secrets? x[1] = x1 ^ c; What do we do if it doesn’t? } C compilers sometimes use constant-time instructions for this.

Recommend


More recommend