| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 22 Jun 2014 03:13:02 +0100
From: Samuel Neves <sneves@....uc.pt>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] TwoCats multiplication chain
On 06/21/2014 10:06 PM, Solar Designer wrote:
> Here's one more idea I'd like to have recorded in here, and it's about
> multiplication latency hardening in general, not TwoCats specifically.
>
> An attack which I think we haven't mentioned yet is speculative
> computation of multiple possibilities of the next MUL before a previous
> MUL completes.
This may have been considered before, but I couldn't find it on this list. Have you considered modular multiplication
instead? It does a much better job at mixing the bits evenly (and not only from right-to-left), and should be more
effective against the kind of attack you describe. The friendliest modulus for CPUs might be 2^n - 1. For example,
here's x86 code for multiplication modulo 2^32-1:
# compute eax * edx mod 2^32-1
mul edx # edx:eax = eax * edx
add eax, edx # edx*2^32 + eax = (edx*1 + eax) mod 2^32-1
adc eax, 0 # addition above may overflow
# handle special case eax*edx mod 2^32-1 = 2^32-1 = 0
# potentially unnecessary
# a branch could be faster here, since it's quite predictable
sub eax, -1 # CF set on eax != 2^32-1
sbb eax, 0 # always add 1 back, except on 2^32-1
It's a little trickier with SIMD, due to the required shuffling and lack of explicit carries, but I think it could also
be made reasonably fast.
Powered by blists - more mailing lists