Menu
▾
▴
Re: [sdcc-devel] AES optimization opportunity
|
From: Philipp K. K. <pk...@sp...> - 2025-12-19 20:53:47
|
Am 15.03.22 um 19:39 schrieb Gabriele Gorla via sdcc-devel: > On Tue, 2022-03-15 at 13:22 +0100, Philipp Klaus Krause wrote: >> Am 14.03.22 um 19:07 schrieb Gabriele Gorla via sdcc-devel: >> >>> >>> Can the optimizer transform the following? >>> ( (a) & 1)*b >>> to: >>> ( (a) & 1 )?b:0 >>> >>> The construct is common in code targeted at modern cpus where >>> multiplications are cheap and conditionals are expensive. >> >> I am currently opposed to this optimization (to the point that I >> think >> it could make SDCC a real-world example of a "hostile >> implementation", a >> hypothetical concept that comes up once in a while in discussions of >> the >> C standard): >> >> I have not yet seen the multiplication-instead-of-branch construct >> outside of cryptographical code. In cryptographical code is is not >> used >> for speed, but as a mitigation against a side-channel attack. >> Optimizing >> this to ( (a) & 1 )?b:0, might be still be okay at first, but it is >> likely, that further optimizations would then only compute b if (a) & >> 1. >> That would reenable the side-channel attack: >> >> The runtime of the algorithm would depend on the data. A timing >> attack >> would then measure the response time of a device running the >> algorithm >> to deduct information about secrets (key or plaintext). >> >> Philipp > > Good point. To prevent the attack can this optimization be applied when > b is literal/constant? > That should be fine. Philipp |
