> On Apr 3, 2015, at 11:41 AM, Tony Arcieri <[email protected]> wrote:
>
> On Fri, Apr 3, 2015 at 11:35 AM, Irene Knapp <[email protected]
> <mailto:[email protected]>> wrote:
> Surely, what you are describing is a lightweight tool that either generates
> LLVM bitcode, or hooks into the LLVM backends at a slightly lower level than
> that to output particular instructions when that's what you really, really
> want - but I suspect its hinting system already makes that unnecessary for
> this use-case. LLVM bitcode is precisely this "mostly concrete assembly"
> concept that you're describing.
>
> The problem with using LLVM in this context is robust cryptographic
> implementations need to follow a very specific set of rules to avoid cache
> timing attacks, and LLVM is not designed to follow these rules:
>
> https://cryptocoding.net/index.php/Coding_rules
> <https://cryptocoding.net/index.php/Coding_rules>
>
> LLVM has not been designed to support the generation of constant time code
> and is instead rather eager to do things like insert branches in otherwise
> branch free code if it thinks the code can be better optimized.
>
> --
> Tony Arcieri
It may be that if your tool chooses carefully the optimization passes — or even
avoids most of them entirely — you could get constant-time operation. But I
don’t know enough about LLVM’s codegen to be sure one way or the other. At
least until recently, though, it was absolutely terrible at things like
add-with-carry intrinsics. (Not necessarily making them variable time, but
lowering add; addc to add; setc; zext; add; add.)
— Mike
_______________________________________________
Curves mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/curves
