Author: Mike Hearn 2014-03-06 08:38:40
Published on: 2014-03-06T08:38:40+00:00
The discussion revolves around the implementation of a hardened secp256k1 signer in userspace and whether it would be preferable to moving signing into the kernel. It is suggested that using MTRRs to disable caching entirely for a small scratch region of memory could work, but it may not be necessary. The conversation also covers topics such as branchless code, uniform memory access, and avoiding data dependent loads to hide memory timing side-channels. It is noted that even with branchless code, other defense measures such as avoiding reuse, multsig with multiple devices, and not sharing hardware are still important. The vulnerability of FLUSH+RELOAD attacks is also discussed, and it is believed that using a branchless implementation where each phase of the operation executes the exact same code and accesses the exact same stack frames would not be vulnerable to this attack.
Updated on: 2023-06-08T04:00:46.419913+00:00