https://gcc.gnu.org/bugzilla/show_bug.cgi?id=123787
Bug ID: 123787
Summary: Timing leaks in `__mulbitint3`
Product: gcc
Version: 16.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: thomas.bellebaum at aisec dot fraunhofer.de
Target Milestone: ---
I write cryptographic code in C using 128-bit and 256-bit numbers.
For portability I use `_BitInt(128)` and `_BitInt(256)` rather than, say,
`__int128`.
My expectation was that certain simple operations would be constant time,
including the `*` multiplication operator. (This can easily be implemented for
few-limb numbers using few ASM multiplications on most platforms.)
However, I noticed that while clang generates inline code, GCC likes to
generate calls to the compiler-support routine `__mulbitint3`, which is
preferable in theory to reduce code size.
Unfortunately, this renders my code insecure when compiled with GCC, because
`__mulbitint3` tries to dynamically determine the actual precision of the
operands to speed up the multiplication.
Would it be possible to make this routine constant-time?
Do you know of any use cases requiring huge `_BitInt(n)`s which are unable to
pay the price of a generic n-bit multiplication while numbers are small?
If so, would it be possible to provide a compiler annotation for those use
cases such that the default implementation is safe?
