SQUIP new way to attack keys

Argh! Just spent most of the morning reading this paper: https://stefangast.eu/papers/squip.pdf Most of the eight listed authors are at Graz University of Technology. Even if it were a group project for a graduate-level course, I’d give them an A. It shows an attack on Zen 2 and Zen 3 CPUs. But don’t rush out to buy an old CPU. It only works if two processes share the same core, one attacker and one victim. There are actually (slightly) more general attacks to take advantage of symmetric multi-threading (SMT), and constant-time algorithms (CTA) can stymie their approach.

I didn’t know that there was any non-CTA crypto code still in existence.* And Windows refuses to assign two different VMs to the same core. The paper finally talks about CTA on page 12. I began to suspect that CTA could foil the attack a page or two earlier.

Anyway, nothing to see here; move along. Unless you are working on a PhD in computer security. ;=)

  • The reason crypto code should be CTA is the same reason that all similar code should be CTA: It is much faster. Branches tied to bits in arithmetic results are close to 50/50. So half the time several to hundreds of clock cycles will be required to execute the branch. Yes, caching means you are normally on the short side of that wait. However, if (AMD64) you use a cmovCC instruction, it behaves much better. CC is a conditional just like in jumps/branches. No bubbles, and the conditional move can be a value of any standard size.