RFR(L): 8069539: RSA acceleration
Florian Weimer
fweimer at redhat.com
Mon May 11 15:37:36 UTC 2015
On 05/08/2015 07:19 PM, Andrew Haley wrote:
>> Do we want to add side-channel protection as part of this effort
>> (against timing attacks and cache-flushing attacks)?
>
> I wouldn't have thought so. It might make sense to add an optional
> path without key-dependent branches, but not as a part of this effort:
> the goals are completely orthogonal.
I'm not well-versed in this kind of side-channel protection for RSA
implementations, but my impression that algorithm changes are needed to
mitigate the impact of data-dependent memory fetches (see fixed-width
modular exponentiation). But maybe the necessary changes materialize at
a higher level, beyond the operation which you proposed to intrinsify.
--
Florian Weimer / Red Hat Product Security
More information about the hotspot-compiler-dev
mailing list