[curves] Distribution-ready optimized code

Michael Hamburg mike at shiftleft.org
Fri Apr 3 11:48:15 PDT 2015

> On Apr 3, 2015, at 11:41 AM, Tony Arcieri <bascule at gmail.com> wrote:
> On Fri, Apr 3, 2015 at 11:35 AM, Irene Knapp <ireneista at gmail.com <mailto:ireneista at gmail.com>> wrote:
> Surely, what you are describing is a lightweight tool that either generates LLVM bitcode, or hooks into the LLVM backends at a slightly lower level than that to output particular instructions when that's what you really, really want - but I suspect its hinting system already makes that unnecessary for this use-case.  LLVM bitcode is precisely this "mostly concrete assembly" concept that you're describing.
> The problem with using LLVM in this context is robust cryptographic implementations need to follow a very specific set of rules to avoid cache timing attacks, and LLVM is not designed to follow these rules:
> https://cryptocoding.net/index.php/Coding_rules <https://cryptocoding.net/index.php/Coding_rules>
> LLVM has not been designed to support the generation of constant time code and is instead rather eager to do things like insert branches in otherwise branch free code if it thinks the code can be better optimized. 
> -- 
> Tony Arcieri

It may be that if your tool chooses carefully the optimization passes — or even avoids most of them entirely — you could get constant-time operation.  But I don’t know enough about LLVM’s codegen to be sure one way or the other.  At least until recently, though, it was absolutely terrible at things like add-with-carry intrinsics.  (Not necessarily making them variable time, but lowering add; addc to add; setc; zext; add; add.)

— Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20150403/cce6b510/attachment.html>

More information about the Curves mailing list