The cr.yp.to microblog: 2022.08.22 19:17:26

2022.08.22 19:17:26 (1561764497143894016) from Daniel J. Bernstein, replying to "nikita borisov (@nikitab)" (1561699662368849921):

No, "specific data values may delay instruction retirement by, at most, one cycle" in https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html is a pipeline effect. Also says Skylake "may" do this for "at least" one insn in a list of (basically) vector mul. CacheBleed showed exploitability of 1-cycle variations.

2022.08.22 19:22:24 (1561765744794251264) from Daniel J. Bernstein:

This is reminiscent of the FPU on the IBM PowerPC RS64 IV taking an extra cycle to multiply by 0; see warning at the bottom of page 10 of https://cr.yp.to/ecdh/curve25519-20060209.pdf. Figuring out values that trigger a Skylake slowdown could enable attacks along the lines of https://www.iacr.org/archive/crypto2008/51570222/51570222.pdf.

2022.08.22 19:31:09 (1561767946870878209) from Daniel J. Bernstein:

It's easy to see how cutting corners in hardware for floating-point normalization would explain the slowdown on that PowerPC. Intel seems to say that its vector fp mul _is_ constant-time; but maybe the way that the vector int mul reuses the vector fp mul is creating a slowdown.

Context

2022.08.21 17:27:05 (1561374336014901249) from "Adam Langley (@agl__)", replying to "Adam Langley (@agl__)" (1561374334714671104):

Ice Lake was released in 2019 but this information is only a few months old. So hopefully multiplication etc actually is always constant-time on existing chips and this is just preparing for the future?

2022.08.22 11:28:03 (1561646369814634497) from Daniel J. Bernstein:

The documentation actually suggests, but doesn't quite say, that, already on Skylake, vector multiplications (used in many crypto implementations) _aren't_ constant-time. Since then I've been doing various scans to try to find inputs triggering variations; nothing to report yet. https://twitter.com/agl__/status/1561374336014901249

2022.08.22 14:41:04 (1561694947048247296) from "Brian Smith (@BRIAN_____)":

Perhaps the values affect the power consumption substantially which then triggers the power/heat throttling. I.e. timing side channel indirectly through power side channel.

2022.08.22 14:59:49 (1561699662368849921) from "nikita borisov (@nikitab)", replying to "Brian Smith (@BRIAN_____)" (1561694947048247296):

A la http://hertzbleed.com