Leaky multiply instruction on Cortex-A75

Torbjörn Granlund tg at gmplib.org
Mon Dec 17 14:35:35 UTC 2018

The Arm64 core Cortex-A75 has an multiply instruction which runs with
different throughput and latency depending on the most significant 32
bits of one of its operands.  This, of course, leaks side channel

It is not immediately clear what we need to do to mitigate.  Adding 2^32
to the operand would seem attractive, but then we need to handle the
case when that spills in a side channel silent manner.

Ref: https://static.docs.arm.com/101398/0200/arm_cortex_a75_software_optimization_guide_v2.pdf
Cf pages 15-16.

I haven't seen a leaky multiply instruction on a mainstream CPU since
the days of POWER3, i.e., in 20 years.

Please encrypt, key id 0xC8601622

More information about the gmp-devel mailing list