Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable data independent timing on Apple Silicon #1788

Open
dstebila opened this issue May 9, 2024 · 3 comments
Open

Enable data independent timing on Apple Silicon #1788

dstebila opened this issue May 9, 2024 · 3 comments

Comments

@dstebila
Copy link
Member

dstebila commented May 9, 2024
edited

There is a feature on Apple Silicon to switch the processor to a mode where individual operations take constant time, independent of the data they are operating, which is recommended for cryptographic code. Should we enable this on liboqs?

https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms#Enable-DIT-for-constant-time-cryptographic-operations
@baentsch
Copy link
Member

Should we enable this on liboqs?

Looks very sensible to me.

@planetf1
Copy link
Contributor

I note they say their own routines use this feature too. Looks very useful, though we need to strive for all implementations being constant-time in any case. But I guess this is an additional safety net?

@SWilson4
Copy link
Member

I'm all for enabling it.

I note they say their own routines use this feature too. Looks very useful, though we need to strive for all implementations being constant-time in any case. But I guess this is an additional safety net?

I don't think this feature is as much an additional safety net as it is a foundation. Most of our efforts on constant-time implementation are focused on this part of the Apple docs:

While DIT ensures the timing of certain instructions don’t reveal information about the data, you need additional programming practices to prevent other changes to the processor’s microarchitectural state from providing an adversary with signals about secret values. For example, avoid conditional branches and memory access locations based on the value of the secret data.

It looks to me like DIT ensures that the operations which we assume execute in constant time (e.g., ADD, SUB, XOR) actually do execute in constant time.

Two asides:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@planetf1 @dstebila @SWilson4 @baentsch