Remember that P-256 carry bug a while back from @FiloSottile/@thecomp1ler/@Cloudflare ?
Here's the bug: https://github.com/golang/go/issues/20040 …
And here's what happen when you get a single bit wrong in a crypto algorithm: https://events.ccc.de/congress/2017/Fahrplan/events/9021.html …
-
Show this thread
-
This should never have happened because nobody except Cloudflare-like users has any need for asm crypto routines. Asm implementations should always be off-by-default.
3 replies 0 retweets 1 like -
Replying to @RichFelker @dgryski and
Either completely omitted at build time, or only used when crypto handle is opened with a "favor throughput over safety" option.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @dgryski and
That’s nonsense. Much crypto code requires constant time execution to avoid side channel attacks, and compilers cannot emit that code reliably at the moment.
2 replies 0 retweets 1 like -
Sure they can. while(nanotime()<starttime+k);
1 reply 0 retweets 0 likes -
Replying to @RichFelker @dgryski and
Ok, that answer so thoroughly misunderstands the problem that I think this just constitutes trolling.
1 reply 0 retweets 2 likes -
How so? This is the ONLY safe & reliable way to achieve constant-time. Even most ISAs' machine code is not specified to guarantee constant time. Pretending asm can get it is wrong.
2 replies 0 retweets 0 likes -
Replying to @RichFelker @dgryski and
I don’t think anyone is pretending: the ISA problems are well known, and largely considered deficiencies in those ISAs. My question to you is this: how do you select k?
1 reply 0 retweets 0 likes -
Either just pick something huge, or measure over a largeish random set of ops & go a bit larger.
3 replies 0 retweets 0 likes -
Replying to @RichFelker @Lukasaoz and
That's not enough: constant time is also about *CPU* time.
1 reply 0 retweets 0 likes
I think you missed the lack of any sleep there.
-
-
Replying to @RichFelker @Lukasaoz and
task scheduling can change the amount of while loop iterations. Moreover, careful statistical sampling + large server load can help recover the actual algorithm CPU cost.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.