David Wong

cryptologie.net

cryptography, security, and random thoughts

Hey! I'm David, cofounder of zkSecurity, research advisor at Archetype, and author of the Real-World Cryptography book. I was previously a cryptography architect of Mina at O(1) Labs, the security lead for Libra/Diem at Facebook, and a security engineer at the Cryptography Services of NCC Group. Welcome to my blog about cryptography, security, and other related topics.

← back to all posts

Cryptography and assembly code

blog

Thanks to filippo streaming his adventures rewriting Golang assembly code into “cleaner” Golang assembly code, I discovered the Avo assembly generator for Golang.

This post is not necessarily about Golang, but Golang is a good example as its standard library is probably the best cryptographic standard library of any programming language.

At dotGo 2019, Michael McLoughlin presented on his Avo tool. In the talk he mentions that there’s 24,962 x86 assembly lines in Golang’s standard library, and most of it is in the crypto package. A very “awkward” place where “we need very high performance, and absolute correctness”. He then shows several example that he describes as “write-once code”.

assembly golang crypto

The talk is really interesting and I recommend you to check it.

I personally spent days trying to understand Golang’s SHA-3 assembly implementation. I even created a Go Assembly by Example page to help me in this journey. And I ended up giving up. I just couldn’t understand how it worked, the thing didn’t make sense. Someone had written it with their own mental model of how they wanted to pass data around. It was horrible.

It’s not just a problem of Golang. Look at OpenSSL, for example, which most cryptographic applications and libraries rely on. It contains a huge amount of assembly code to implement cryptography, and that assembly code is sometimes generated by unintelligible perl code.

There are many more good examples out there. the BearSSL TLS implementation by Thomas Pornin, the libsodium cryptographic library by Frank Denis, the extended keccak code package by the Keccak team, all use assembly code to produce fast cryptography.

We’re making such a fuss about readable, auditable, simple and clear cryptographic implementations, but most of that has been thrown out of the window in the quest for performance.

The real problem, from a reviewer perspective is that assembly is getting us much further away from the specification. As the role of a reviewer is to match the implementation to the specification, it makes the job hard, perhaps impossible.

Food for thoughts…

suggested reads:
SIMD instructions in Go blog
CVE-2016-3959 blog
StrobeGo blog
← back to all posts blog • 2021-03-31
currently reading:
Cryptography and assembly code
03-31 blog
recent posts:
New cryptologie.net
07-20 blog
Weaponizing AI Assistants: With Their Permission
07-20 blog
What are Schwartz-Zippel circuits? How do they relate to iterative constraint systems?
05-29 blog
Short Note On Montgomery Reduction: Why Operating Modulo b?
05-24 blog
Still confused by Plonk's permutation?
03-13 blog
📖 my book
Real-World Cryptography is available from Manning Publications.
A practical guide to applied cryptography for developers and security professionals.
🎙️ my podcast
Two And A Half Coins on Spotify.
Discussing cryptocurrencies, databases, banking, and distributed systems.
📺 my youtube
Cryptography videos on YouTube.
Video explanations of cryptographic concepts and security topics.