Path: csiph.com!weretis.net!feeder9.news.weretis.net!news.misty.com!news.iecc.com!.POSTED.news.iecc.com!nerds-end
From: John R Levine <johnl@taugh.com>
Newsgroups: comp.compilers
Subject: Crypto friendly optimization?
Date: Sat, 24 Aug 2024 17:14:53 -0400
Organization: Compilers Central
Sender: johnl%iecc.com
Approved: comp.compilers@iecc.com
Message-ID: <24-08-003@comp.compilers>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970"; logging-data="2606"; mail-complaints-to="abuse@iecc.com"
Keywords: optimize, question
Posted-Date: 24 Aug 2024 17:15:35 EDT
X-submission-address: compilers@iecc.com
X-moderator-address: compilers-request@iecc.com
X-FAQ-and-archives: http://compilers.iecc.com
Xref: csiph.com comp.compilers:3584

On a cryptography list people were complaining that compiler optimizers
mess up their cryptographic code and make it insecure.  They try to write
code that runs in constant time, or that erases all the temporary storage,
but the compilers say oh, that's dead code, or oh, I can make this faster
with a few branches and the erases go away and the constatnt time isn't.

This 2018 paper from Cambridge discusses changes they made to Clang/LLVM
so they could tell the compiler what they wanted it to do.  Has there been
other work on this topic?

https://on.ft.com/3MjWez0

R's,
John