The curious tendency among cryptographers to believe that they need to make any OOB access the attacker suggests in order to be “constant-time”.
-
-
Replying to @volatile_void
Fuck, are we still talking about “constant-time” in 2017? Even if they do it right, IT’S NOT ENOUGH.
2 replies 0 retweets 1 like -
-
-
Replying to @volatile_void
If I had a dollar for every allegedly constant-time primitive written in C, I could buy a nice car. You cannot claim C code to be constant time, because the C abstract machine has no model of time.
2 replies 4 retweets 9 likes -
Replying to @stephentyrone @volatile_void
You can't even claim constant-time for most assembly code unless you tie it to a specific µarchitecture, because most ISAs make no guarantee of a constant-time for the instructions you're using.
2 replies 0 retweets 0 likes -
Replying to @stephentyrone @volatile_void
pusha ; cpuid ; popa between every pair of instructions. ;-)
2 replies 0 retweets 1 like -
Jokes aside, closest you'll probably come is implementing a bytecode interpreter to make it implausible for uarch to make op times vary.
2 replies 0 retweets 0 likes -
Honestly your average interpreter is probably going to leak gobs of secret information into the branch predictor. this is a terrible idea.
2 replies 0 retweets 3 likes
Indeed, this is why you can't use an average interpreter, only a highly restricted domain-specific one.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.