yes, “config no-asm”. I have run most of the pure C version in tis-interpreter.
-
-
also the C implementation of AES is crappy best-effort constant-time whereas the SSE2 impl. is real constant-time.
1 reply 0 retweets 4 likes -
Replying to @volatile_void @whitequark
I'm skeptical of even considering asm constant-time; it won't be on many cpu emulators, for instance.
1 reply 0 retweets 1 like -
Replying to @RichFelker @whitequark
Applications that need constant-time need while(now-start<max) spin();
2 replies 0 retweets 0 likes -
Replying to @RichFelker
that either means you have massively reduced concurrency, or an attacker can get the same leak via throughput
2 replies 0 retweets 0 likes -
-
Replying to @RichFelker
then you can handle at most ncores concurrent clients per `max` timeslot. a nonstarter
1 reply 0 retweets 0 likes -
Replying to @whitequark
Assuming max is chosen to be a tight bound on runtime of any code path, it makes little difference.
2 replies 0 retweets 0 likes -
Replying to @RichFelker
only if your worst case is reasonably close to your average case
1 reply 0 retweets 0 likes -
Replying to @whitequark
You expect that to be true; "constant-time" asm would be going out of its way to make that true...
2 replies 0 retweets 0 likes
...by avoiding optimizations that would violate it, and avoiding insns that might be var-time, faster for some inputs.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.