[Libre-soc-dev] gcc binutils sv cryptoprimitives etc

Luke Kenneth Casson Leighton lkcl at lkcl.net
Wed Jan 20 06:09:01 GMT 2021


On Wednesday, January 20, 2021, Hendrik Boom <hendrik at topoi.pooq.com> wrote:

> Cryptography would also benefit from constant-power execution.
> This may also be difficult.

it's insanely difficult and obliterates performance.  L1 and L2 caches are
out.  changes in a single bit from 1 to 0 must be masked with a
corresponding change from 0 to 1 in order to balance the books and that
must occur even when no change is required (!) which is a whopping 4x
increase in power.

mental and an entire area of research all on its own.

we could indeed put in such an application.  it might even be successful.

however what it would do is drag us into a massive rabbithole of focus that
would completely destroy the rest of the project.

a narrow focus on completion time will do exactly the same thing.


Jacob you are doing the rabbithole "narrow focus" thing again, not
listening to what the scope is, getting stuck on an irrelevant detail
without thinking through the larger picture.

the scope here is a *network* processor.

end-user applications are prohibited.

end-user logins are prohibited.

the only interface (attack surface) is the NETWORK.

that operates at millisecond accuracy and response time, doesn't it?

so what possible relevance would *nanosecond* level variance in completion
time have on *millisecond* overall NETWORK packet level response time, when
that millisecond response time had been made uniform by way of a
constant-response uniform timer?

even if tens of thousands of nanosecond level instructions are run per
network level response any variance is stillutterly irrelevant due to the
masking of the uniform response time thanks to the use of a timer, yes?

so what possible benefit would it be to jeapordise the hardware design?

none.

data dependent constant time is a bitch.  predication is out.  even the
optimisations i would like to do for zeroing would be destroyed because a
zero predicate bit would allow us to skip issuing to the Reservation
Station.

can't do that because it would alter completion time.

using FSMs in FUs with early-out?

can't do that.

using analysis of Condition Registers to check early-out of loops?

can't do that.

Karatsuba Multiply algorithm?

can't use that because it detects and skips zero elements which is
data-dependent nonuniform completion time.

every optimisation opportunity whether at hardware or software level is
prohibited.

do you see how utterly destructive and disruptive it would be to try to
design the entire processor around data dependent constant time?

it creates an absolute nightmare that we just cannot afford to deal with.


hence i came up with a SPECIFIC strategy to do a NETWORK ONLY proposal
where end-user interaction is prohibited and a timer may be deployed to
completely mask processing time variance on the only attack surface.

power analysis is likewise completely out of scope by assuming that
attackers have zero physical access.

in this way we can get in an application for funding and go beyond Nov 2021.

l.









-- 
---
crowd-funded eco-conscious hardware: https://www.crowdsupply.com/eoma68


More information about the Libre-soc-dev mailing list