1. 25
  1.  

  2. 2

    The worst case is that today you promise secrecy for, e.g., the MUL inputs, and then realize in several years that you really want to make a faster variable-time multiplier; the commitment would then force you to add a new MULABORT instruction rather than violating the secrecy of the MUL instruction.

    I’ve got a lot of respect for DJB, but I think he’s severely understating the downside here. Many of the IPC improvements over the last few years (since the end of the clock speed “free lunch”) have come from clever changes to the ways the CPU handles some instructions. Tightly specifying the behavior of instructions like this would constrain further innovation.