> attacks SIKE (a key exchange
mechanism) through a power side channel, by observing the resulting
frequency of a core (which goes down if per-cycle power goes up).
Different bit patterns in the keys consume different amounts of power
in a "constant-time" (i.e., state-of-the-art) implementation of SIKE
which apparently allows to get some info about the bits in the keys by
observing the frequency.
So I was wondering if one could mitigate this by performing a
complementary computation that results in constant total power.
Letting both the key and the ones-complement of the key run through
SIKE is probably too naive. In an OoO CPU where every computation
overwrites a different physical register (and the original contents is
almost unpredictable), I don't see how to do the complementary
approach, but then I don't see how the exploit works. I guess I
should read the paper in more depth.
'Anyone trying for "industrial quality" ISA should avoid undefined behavior.'
Mitch Alsup, <c17fcd89-f024-40e7...@googlegroups.com