On Fri, Apr 3, 2015 at 11:35 AM, Irene Knapp <[email protected]> wrote:
> Surely, what you are describing is a lightweight tool that either > generates LLVM bitcode, or hooks into the LLVM backends at a slightly lower > level than that to output particular instructions when that's what you > really, really want - but I suspect its hinting system already makes that > unnecessary for this use-case. LLVM bitcode is precisely this "mostly > concrete assembly" concept that you're describing. > The problem with using LLVM in this context is robust cryptographic implementations need to follow a very specific set of rules to avoid cache timing attacks, and LLVM is not designed to follow these rules: https://cryptocoding.net/index.php/Coding_rules LLVM has not been designed to support the generation of constant time code and is instead rather eager to do things like insert branches in otherwise branch free code if it thinks the code can be better optimized. -- Tony Arcieri
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
