How will future microarchitectures impact the security of existing cryptographic implementations? As we cannot keep reducing the size of transistors, chip vendors have started developing new microarchitectural optimizations to speed up computation. A recent study (Sanchez Vicarte et al., ISCA 2021) suggests that these optimizations might open the Pandora's box of microarchitectural attacks. However, there is little guidance on how to evaluate the security impact of future optimization proposals. To help chip vendors explore the impact of microarchitectural optimizations on cryptographic implementations, we develop (i) an expressive domain-specific language, called LmSpec, that allows them to specify the leakage model for the given optimization and (ii) a testing framework, called LmTest, to automatically detect leaks under the specified leakage model within the given implementation. Using this framework, we conduct an empirical study of 18 proposed microarchitectural optimizations on 25 implementations of eight cryptographic primitives in five popular libraries. We find that every implementation would contain secret-dependent leaks, sometimes sufficient to recover a victim's secret key, if these optimizations were realized. Ironically, some leaks are possible only because of coding idioms used to prevent leaks under the standard constant-time model.

翻译：未来的微架构将如何影响现有加密实现的安全性？由于无法持续缩小晶体管尺寸，芯片厂商开始开发新的微架构优化以加速计算。近期研究（Sanchez Vicarte等人，ISCA 2021）表明，这些优化可能打开微架构攻击的潘多拉魔盒。然而，目前缺乏评估未来优化方案安全影响的指导方法。为帮助芯片厂商探索微架构优化对加密实现的影响，我们开发了：（i）一种表达性领域特定语言LmSpec，用于为给定优化指定泄漏模型；（ii）一个自动化测试框架LmTest，用于在指定泄漏模型下检测给定实现中的泄漏。利用该框架，我们对五个流行库中八种加密原语的25种实现进行了18项微架构优化提议的实证研究。研究发现，若这些优化得以实现，每个实现都将包含依赖于秘密的泄漏，某些情况下足以恢复受害者的密钥。讽刺的是，部分泄漏之所以可能发生，恰恰是因为程序员为防止标准恒定时间模型下的泄漏而采用的编码惯用法。