Re: Cleanup for cryptographic algorithms vs. compiler optimizations

From: C. P. Ghost <cpghost_at_cordula.ws>
Date: Mon, 14 Jun 2010 03:43:08 +0200
On Sun, Jun 13, 2010 at 11:35 PM, Bernd Walter <ticso_at_cicely7.cicely.de> wrote:
> Crypto code wasn't aware of this problem and this is a way more
> obviuous optimization than function exchange.
> And I do believe that the programmers were clever people.
> Alarming, isn't it?
> Maybe paranoid users might consider compiling their OS with -O0, but
> I don't think this is the right way.

I think that most crypto code isn't compiled with strong optimizations
anyway, even when the rest of the OS or program is (or can be). After all,
we do have separate compilation units... as long as you don't enable LTO,
of course.

Turning off strong optimizations for crypto code may seem paradoxical,
but since most performance-critical routines often contain hand-optimized
assembly anyway, and compiler-optimizations may be counter-productive
here, the point is rather moot, usually.

> It is amazing how strong the influence of optimization is and how weak
> the programmers assumptions are.

Indeed. That's a classic trap that trips a lot of crypto programmers
in particular, and even seasoned C programmers occasionally.

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/
Received on Sun Jun 13 2010 - 23:43:10 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:04 UTC