No description provided.
Slice bytes of G multiples to avoid cache timings. #1
pull sipa wants to merge 1 commits into bitcoin-core:master from sipa:slice changing 1 files +28 −7-
sipa commented at 11:29 PM on March 6, 2014: contributor
-
Slice bytes of G multiples to avoid cache timings 65a79b300c
-
gmaxwell commented at 12:06 AM on March 7, 2014: contributor
So measuring the cycle counts for pubkey generation (on my laptop, pinned to a single cpu and running with realtime priority):
(tn is with the pull, to is without)
summary(scan('tn')) Read 1000000 items Min. 1st Qu. Median Mean 3rd Qu. Max. 76450 76920 77010 78230 77110 439600 summary(scan('to')) Read 1000000 items Min. 1st Qu. Median Mean 3rd Qu. Max. 63810 64380 64450 65440 64540 311000 sd(scan('tn')) Read 1000000 items [1] 4820.458 sd(scan('to')) Read 1000000 items [1] 4523.553
So it's a fair bit slower, and it's not obvious that it reduced the timing variance. (though it is sightly less if I exclude measurements past the 3rd quartile)
-
sipa commented at 12:18 AM on March 7, 2014: contributor
I only expect time variations if you have significant ranges of identical multiplicand bits between consecutive runs, which I don't expect to happen in random multiplications.
- sipa referenced this in commit 78cb860733 on Mar 12, 2014
- sipa merged this on Mar 12, 2014
- sipa closed this on Mar 12, 2014
- benma referenced this in commit d581749227 on Jun 21, 2019
- real-or-random referenced this in commit 9a8db52f4e on Oct 29, 2024
- real-or-random referenced this in commit ac561601b8 on Feb 19, 2026
Linked (view graph)
#429 Cannot build on Debian stretch#455 Segmentation fault when using secp256k1_ecdsa_verify with NULL context#476 bench_verify test condition failed#1511 msan: use of uninitialized value in secp256k1_scalar_mul_shift_var#1516 False positives in constant-time tests when using MSan on Clang >= 16#1582 cmake, test: Add `secp256k1_` prefix to test names#1760 cmake: Add dynamic test discovery to improve parallelism