[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: identical input, different output?

To: Colin Percival <cperciva@tarsnap.com>
Subject: Re: identical input, different output?
From: Solar Designer <solar@openwall.com>
Date: Sat, 6 Dec 2014 02:01:59 +0300
Cc: Arnold Reinhold <agr@me.com>, scrypt@tarsnap.com
In-reply-to: <54822698.3090402@tarsnap.com>
References: <7AE9DD36-A667-4B8D-B2E1-FF781E28D995@lyndir.com> <54800408.8060905@tarsnap.com> <90a1f03fd091607c039a8c7e6133145e.squirrel@lelantoss7bcnwbv.onion> <5482147B.1050405@tarsnap.com> <A79F9D40-549B-4F66-93AD-4CD9F0AA7FB7@me.com> <54822698.3090402@tarsnap.com>

On Fri, Dec 05, 2014 at 01:41:44PM -0800, Colin Percival wrote:
> On 12/05/14 13:41, Arnold Reinhold wrote:
> > If so a quick trial SSE calculation would reveal the absence, allowing an error return. Seems prudent. 
> 
> Yes, I'm planning on adding code to do that.  But I don't know if that's the
> issue which Maarten ran into.

Right.

I think you need to choose between these 3 approaches:

1. Invoke any SSE2 instruction (via a compiler intrinsic or inline asm?)
that has no MMX counterpart, to ensure that the code crashes on pre-SSE2
CPUs.  Need to ensure this won't be optimized out, either by using the
result of this intrinsic in a way too complicated for the compiler to
figure out and eliminate or by using "volatile asm" (less portable, but
more reliable where it is supported).

2. Perform some computation with SSE2 instructions that scrypt uses and
check the result.  Again, there's some risk of a smart compiler doing
this at compile time (assuming proper SSE2 behavior of the intrinsics)
and optimizing the check out, and again "volatile asm" would address
this (with similar pros and cons).  So it's about the same as approach
#1 above, just more complicated.  Oh, also if the program is not made to
crash on failing this self-test, this may actually be worse than #1 in
case the caller doesn't check the return value.

3. Run a self-test of the entire scrypt, with some minimal parameters
(for the overhead to be negligible performance-wise).  I think this is
actually best (and should be in -nosse as well).  If done after main
computation, this will also wipe some of the memory and registers from
sensitive data.  Hopefully, the computation will be non-trivial enough
that the compiler won't attempt to do it at compile time.  The usual
pros and cons of returning error vs. crashing apply - I am unsure which
is best in this case.  scrypt may fail (and return error) on failed
memory allocation anyway.  (Crashing on an SSE2-only instruction in code
compiled for SSE2 or better feels fair.  Crashing on a failed self test,
slightly less so, although there is clear similarity here.)

Alexander

References:
- identical input, different output?
  - From: Maarten Billemont <lhunath@lyndir.com>
- Re: identical input, different output?
  - From: Colin Percival <cperciva@tarsnap.com>
- Re: identical input, different output?
  - From: danielw@emaildoge.com
- Re: identical input, different output?
  - From: Colin Percival <cperciva@tarsnap.com>
- Re: identical input, different output?
  - From: Arnold Reinhold <agr@me.com>
- Re: identical input, different output?
  - From: Colin Percival <cperciva@tarsnap.com>

Prev by Date: Re: identical input, different output?
Next by Date: Re: identical input, different output?
Previous by thread: Re: identical input, different output?
Next by thread: Re: identical input, different output?
Index(es):
- Date
- Thread