[PATCH] D155690: [RISCV] Mask instructions in Zkt as constant-time

Wang Pengcheng via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Wed Jul 19 10:46:24 PDT 2023 

wangpc added a comment.

In D155690#4515159 <https://reviews.llvm.org/D155690#4515159>, @craig.topper wrote:

> In order for this to work, the loop over the buffer to encrypt has to be a separate piece of code? Since the branch instructions aren't constant time.
>
> This patch needs a test that shows the warning fires for a non-constant time instruction.

I'm imagining something like this:

  __attribute__((constant_time))
  void aes128_encrypt(char block_to_encrypt[16], __attribute__((secret)) char key[16], char output_cipher[16]){
    // ...
  }

An attribute `__attribute__((constant_time))` will indicate that a function need to be constant-time and shouldn't leak secret key with `__attribute__((secret))`, then we will do some transformations (for example, do if-conversion to eliminate branches) in the frontend (Clang) and middle end (LLVM IR) to make sure generated code is with this property. There are lots of downstreams/papers doing similar works (for X86, ARM, etc.). Since RISCV has made this constant-time property a standard extension, I think this can be attractive.

But for now, there is still a long way to go. I plan to start from verifying a piece of assemblies as this patch has done.

----

Go back to your question. :-)
The place where a secret may leak is what we need to protect. If each iteration (without the branch instruction in latch) of a loop is constant-time, then the loop won't leak any information about secret key with or without misprediction (generally speaking).
Actually, Zkt is just a list of instructions that are “safe to use” to hande crypto secrets. So if the branch instructions won't use any registers that holds secrets or effected by secrets, it's OK to be in a "constant-time" loop/function.
I may not explain it clearly, so I lead you to RISC-V Zkt: Portable Timing Attack Resistance (via Dynamic Taint Analysis) <https://riscvsummit2022.sched.com/event/1CD5g>. :-)


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D155690/new/

https://reviews.llvm.org/D155690

More information about the llvm-commits mailing list