Remember that P-256 carry bug a while back from @FiloSottile/@thecomp1ler/@Cloudflare ?
Here's the bug: https://github.com/golang/go/issues/20040 …
And here's what happen when you get a single bit wrong in a crypto algorithm: https://events.ccc.de/congress/2017/Fahrplan/events/9021.html …
-
Show this thread
-
This should never have happened because nobody except Cloudflare-like users has any need for asm crypto routines. Asm implementations should always be off-by-default.
3 replies 0 retweets 1 like -
Replying to @RichFelker @dgryski and
Either completely omitted at build time, or only used when crypto handle is opened with a "favor throughput over safety" option.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @dgryski and
That’s nonsense. Much crypto code requires constant time execution to avoid side channel attacks, and compilers cannot emit that code reliably at the moment.
2 replies 0 retweets 1 like -
Sure they can. while(nanotime()<starttime+k);
1 reply 0 retweets 0 likes -
Replying to @RichFelker @dgryski and
Ok, that answer so thoroughly misunderstands the problem that I think this just constitutes trolling.
1 reply 0 retweets 2 likes -
How so? This is the ONLY safe & reliable way to achieve constant-time. Even most ISAs' machine code is not specified to guarantee constant time. Pretending asm can get it is wrong.
2 replies 0 retweets 0 likes -
Replying to @RichFelker @Lukasaoz and
Are you aware that timing attacks can be performed using cache invalidation? They target non-constant time table access as well as non-constant time branches. Adding arbitrary delay to the code solves nothing.
1 reply 0 retweets 0 likes
This is a different class of attacks (local vs remote) but constant cache access pattern and constant time are also different matters.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.