>> Do you have any comment from Intel on the concerns regarding the scattering >> technique (http://cryptojedi.org/peter/data/chesrump-20130822.pdf)? > > As discussed off-list in this case the discrepancy is because so called > memory disambiguation logic attempting to move loads ahead of stores, > and failing when the least significant bits are same. Naturally load > ought to be given "opportunity" to *try* to get ahead. I mean if there > is enough "work done" between store and potentially conflicting load, > then load won't "try" to get ahead of the store and variation . And > indeed, if you add instructions to the test program the variation > disappears. On Intel CPUs amount "worth" 5 cycles appears to be > sufficient.
This might be misinterpreted. It's not necessarily that 5 cycles is sufficient for load not to "try" to get ahead, but it's sufficient to amortize eventual variations. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org