The curious tendency among cryptographers to believe that they need to make any OOB access the attacker suggests in order to be “constant-time”.
Jokes aside, closest you'll probably come is implementing a bytecode interpreter to make it implausible for uarch to make op times vary.
-
-
Real solution: while (now()<start+safe_margin);
-
Vulnerable to hyperthread timing attacks.
-
HT needs to be off to ensure reasonable local secrecy properties. I'm content to preclude remote timing leaks usually.
-
Re: js, browser should only expose a fake clock.
End of conversation
New conversation -
-
-
Honestly your average interpreter is probably going to leak gobs of secret information into the branch predictor. this is a terrible idea.
-
No branching needed.
-
You forget that add (with pc as a possible operand) is Turing complete. :-)
-
So instead you’re leaking into the caches and ITLB, since they’re now functioning as your branch predictor =)
-
(Also, add-to-PC is a branch that can be predicted)
-
Not host pc. Virtual machine pc.
-
Yeah, in that case see previous comment. The caches hold your branch history.
-
But you also write your code that runs in the vm such that its branch history is worthless.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.