In recent years, microarchitecturral attacks have become a significant threat to cryptographic software and hardware. In particular, cache-based side channel attacks have had devastating effects on the underlying cryptographic primitive, often resulting in complete key compromises. In response, implementations have adopted a "constant-time" programming approach to mitigate the attacks.
Constant-time is a name for a collection of techniques that ensure that the execution of a cryptographic algorithm does not leak secret information via timing, execution path or memory access. In a nutshell, it requires that the program uses operations whose timing is constant, and does not use secret-dependent memory accesses or branches.
To reduce the performance overhead of constant-time programming, developers have explored some relaxations of the model. In this talk I will cover some cache-based side-channel attacks and demonstrate how relaxing constant-time programming often renders implementations vulnerable.
The talk is self contained and assumes no specialist knowledge of either processor microarchitecture or cryptography. This is a joint work with Daniel Genkin and Nadia Heninger.