Leaky multiply instruction on Cortex-A75
tg at gmplib.org
Mon Dec 17 14:35:35 UTC 2018
The Arm64 core Cortex-A75 has an multiply instruction which runs with
different throughput and latency depending on the most significant 32
bits of one of its operands. This, of course, leaks side channel
It is not immediately clear what we need to do to mitigate. Adding 2^32
to the operand would seem attractive, but then we need to handle the
case when that spills in a side channel silent manner.
Cf pages 15-16.
I haven't seen a leaky multiply instruction on a mainstream CPU since
the days of POWER3, i.e., in 20 years.
Please encrypt, key id 0xC8601622
More information about the gmp-devel