Better tabselect
Torbjorn Granlund
tg at gmplib.org
Wed Apr 10 22:49:40 CEST 2013
nisse at lysator.liu.se (Niels Möller) writes:
Torbjorn Granlund <tg at gmplib.org> writes:
> The multitude and pattern of mask computations make side channel leakage
> worse if the mask computation is made stupidly. I don't trust compilers
> here, since they might use a conditional move or other leaky method.
One possible variant,
LIMB_HIGHBIT_TO_MASK ( ~((i-k) | (k-i)))
BTW, a comment on LIMB_HIGHBIT_TO_MASK, which I have intended to write
for some time. Current definition uses a condition when arithmetic shift
is unavailable,
If the compiler does its algebra, it will figure out what is going on,
and then issue code of its choice for it. Side channel silence is not
on its checklist.
Now, we don't *know* any cmov leaks. It could be implemented as a read
of both source operands, a mux, and a write of the destination. Or it
could be a read of just either operand and a write. Or for a
2.5-operand architecture, it could be either a no-op or a mov. The
latter two cases will leak.
I see only one basic way of doing an compare-to-mask operation in C, and
that is to split it over two functions which are in separate compilation
units. (Don't mention link-time optimisation!)
--
Torbjörn
More information about the gmp-devel
mailing list