[Libre-soc-dev] gcc binutils sv cryptoprimitives etc
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Tue Jan 19 21:46:40 GMT 2021
On Tuesday, January 19, 2021, Jacob Lifshay <programmerjake at gmail.com>
wrote:
>
> I'm saying without data-independent execution time our cpu is 99.9%
useless
> for cryptography.
it's an OoO Vector Engine. it's deeply unsuited to constant time
execution. as in: *fundamentally* unsuited and 100% fully incompatible.
trying to claim otherwise is disingenuous and we will get into trouble if
we try.
which entirely misses the point of this funding request.
the purpose of this funding request is to solve a completely different
aspect, *not* " get constant time execution".
constant time execution is achievable through different means, at the
*application* level, which has absolutely nothing to do with the focus of
this funding request, which is the ISA and the primitives.
> These are minimum viable requirements imho.
application-level. basically "not our problem". applications set a timer
and respond "in constant time".... at the *application* level.
this is a common technique that solves a huge array of problems that if you
tried to do them in hardware it SEVERELY compromises performance and
understandability, and literally requires 10x the time and funding.
the solution "use a timer" is dead simple. i have been doing cryptography,
statistical analysis and reverse-engineering for a long time. trying to do
constant time at the instruction level on a Vector ISA, *particularly* on
top of an OoO execution engine, is a very serious (catastrophic) mistake.
i will repeat it again: we are doing an Out-of-Order design. it is NOT
POSSIBLE for us to provide constant time guarantees, period. trying to do
so is an entire separate area of research that requires far greater
resources than we have time for.
we will get into serious trouble by trying to claim that constant time is
possible on an OoO architecture. an intelligent auditor will call
"bullshit" and it could jeapordise the application.
also it is a completely different direction from the primary objective of
the application. i made a first cut at the abstract:
https://libre-soc.org/nlnet_2021_crypto_router/
the objective is to simplify the maths, to make audit and review obvious.
*not*, "create the fastest constant time specialist hard macro possible".
"under the hood" of the application the idea is to get us further funding
that allows us to continue Simple-V development, covering areas that we
missed.
--
---
crowd-funded eco-conscious hardware: https://www.crowdsupply.com/eoma68
More information about the Libre-soc-dev
mailing list