liboqs icon indicating copy to clipboard operation
liboqs copied to clipboard

Published 20 hours ago verified publisher icon open-quantum-safe

Enable data independent timing on Apple Silicon

Open dstebila opened this issue 1 year ago • 3 comments
trafficstars

There is a feature on Apple Silicon to switch the processor to a mode where individual operations take constant time, independent of the data they are operating, which is recommended for cryptographic code. Should we enable this on liboqs?

https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms#Enable-DIT-for-constant-time-cryptographic-operations

dstebila avatar May 09 '24 19:05 dstebila

Should we enable this on liboqs?

Looks very sensible to me.

baentsch avatar May 12 '24 11:05 baentsch

I note they say their own routines use this feature too. Looks very useful, though we need to strive for all implementations being constant-time in any case. But I guess this is an additional safety net?

planetf1 avatar May 13 '24 12:05 planetf1

I'm all for enabling it.

I note they say their own routines use this feature too. Looks very useful, though we need to strive for all implementations being constant-time in any case. But I guess this is an additional safety net?

I don't think this feature is as much an additional safety net as it is a foundation. Most of our efforts on constant-time implementation are focused on this part of the Apple docs:

While DIT ensures the timing of certain instructions don’t reveal information about the data, you need additional programming practices to prevent other changes to the processor’s microarchitectural state from providing an adversary with signals about secret values. For example, avoid conditional branches and memory access locations based on the value of the secret data.

It looks to me like DIT ensures that the operations which we assume execute in constant time (e.g., ADD, SUB, XOR) actually do execute in constant time.

Two asides:

  • We only run constant-time tests on x86_64 at the moment, so even if DIT were switched on for all of our code right now, we couldn't make claims about constant-time behaviour on any ARM platform.
  • It looks like a similar feature is available for certain Intel chips: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html

SWilson4 avatar May 13 '24 13:05 SWilson4