math/bits: Add, Mul and Sub are not constant time #31229
Comments
FiloSottile
added
the
NeedsFix
|
|
|
Constant time operations are only useful for crypto and the extra slowness is undesirable in every other domain. Just saying... |
|
This issue is only about the Go fallbacks when intrinsics are not available for the target architecture. If your architecture doesn't have intrinsics, your code will already be extra slow. The fix in that case is to implement the intrinsics. |
|
The goal is to have fast and safe intrinsics, it's why these functions were added. In the meantime, I'd rather have slow fallbacks than unsafe ones, though. |
|
Not every architecture has add with carry, for example. If by "intrinsics" you mean e.g. |
|
The branchless, constant-time versions of Add and Sub from Hacker's Delight were originally proposed, but it was faster to compute the sum normally, and check a condition to compute the carryOut and borrowOut. I have the constant-time version here that I can send in as a CL: |
|
@smasher164 please do, yeah. |
|
Change https://golang.org/cl/170758 mentions this issue: |
|
Discussion on #31267 about whether to change these. |
|
Also, if someone wants to double-check the math/bits Add64 benchmark, that would be helpful. If it is literally never executing the 'carryOut = true' case, then it's a bad benchmark. It should do a mix of operations. |
|
Looks like this is now a duplicate of #31267. |
These functions were added in #24813 to be intrinsified for high performance code like cryptography.
Cryptography code also needs to be constant time most of the time, so it would be good for the Go fallbacks to try to be constant time. (I realize that a smart compiler can rewrite them.)
The fallbacks are going to be slow anyway, so I don’t think there’s a big performance concern.
The text was updated successfully, but these errors were encountered: