Remember that P-256 carry bug a while back from @FiloSottile/@thecomp1ler/@Cloudflare ?
Here's the bug: https://github.com/golang/go/issues/20040 …
And here's what happen when you get a single bit wrong in a crypto algorithm: https://events.ccc.de/congress/2017/Fahrplan/events/9021.html …
-
-
Either completely omitted at build time, or only used when crypto handle is opened with a "favor throughput over safety" option.
-
That’s nonsense. Much crypto code requires constant time execution to avoid side channel attacks, and compilers cannot emit that code reliably at the moment.
-
Sure they can. while(nanotime()<starttime+k);
-
Ok, that answer so thoroughly misunderstands the problem that I think this just constitutes trolling.
-
How so? This is the ONLY safe & reliable way to achieve constant-time. Even most ISAs' machine code is not specified to guarantee constant time. Pretending asm can get it is wrong.
-
I don’t think anyone is pretending: the ISA problems are well known, and largely considered deficiencies in those ISAs. My question to you is this: how do you select k?
-
Either just pick something huge, or measure over a largeish random set of ops & go a bit larger.
-
"You must use one of a small # of bleeding-edge ISAs to do crypto safely" is not something I consider a viable position.
- 2 more replies
New conversation -
-
-
Every Cloudflare-like user is is any web server that serves any meaningful amount of traffic. You can't hope to come close to even 1Gb/s without using asm. Example: https://go-review.googlesource.com/c/go/+/10484 , before I wrote GCM in asm it could do 89.31MB/s. Hardly enough, even for home server.
-
The idea that < 1Gbps is not meaningful amount of traffic is so... I don't even know where to begin. At least 99.999% of sites have no such need.
End of conversation
New conversation -
-
-
I consider reducing the asm in the stdlib a major security goal, and I would even trade % of perf for it, but unfortunately you are wrong about users needing it. 2s latencies are unacceptable to most users. AES slower than SSD is not ok. Look at the issue tracker tag Performance.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.