Slice bytes of G multiples to avoid cache timings. #1

1. 
   sipa commented at 11:29 pm on March 6, 2014: contributor
2. Slice bytes of G multiples to avoid cache timings 65a79b300c
3. 
   gmaxwell commented at 0:06 am on March 7, 2014: contributor

   So measuring the cycle counts for pubkey generation (on my laptop, pinned to a single cpu and running with realtime priority):

   (tn is with the pull, to is without)

   summary(scan(’tn’)) Read 1000000 items Min. 1st Qu. Median Mean 3rd Qu. Max. 76450 76920 77010 78230 77110 439600 summary(scan(’to’)) Read 1000000 items Min. 1st Qu. Median Mean 3rd Qu. Max. 63810 64380 64450 65440 64540 311000 sd(scan(’tn’)) Read 1000000 items [1] 4820.458 sd(scan(’to’)) Read 1000000 items [1] 4523.553

   So it’s a fair bit slower, and it’s not obvious that it reduced the timing variance. (though it is sightly less if I exclude measurements past the 3rd quartile)

4. 
   sipa commented at 0:18 am on March 7, 2014: contributor

   I only expect time variations if you have significant ranges of identical multiplicand bits between consecutive runs, which I don’t expect to happen in random multiplications.
5. sipa referenced this in commit 78cb860733 on Mar 12, 2014
6. sipa merged this on Mar 12, 2014
7. sipa closed this on Mar 12, 2014

   ---

8. taolinke cross-referenced this on Sep 14, 2017 from issue bench_verify test condition failed by taolinke
9. unknown cross-referenced this on Dec 8, 2017 from issue Cannot build on Debian stretch by possientis
10. gmaxwell cross-referenced this on Mar 4, 2019 from issue Allow to use external default callbacks by real-or-random
11. benma referenced this in commit d581749227 on Jun 21, 2019
12. Davidson-Souza cross-referenced this on Jun 20, 2023 from issue ElligatorSwift + integrated x-only DH by sipa

Contributors
sipa gmaxwell