Summary
Split argument meaning across multiple native calls for crypto-sensitive targets. Instead of passing all args to a single NATIVE_CALL, decompose into multiple calls where each reveals only partial information about the full argument set.
Reference
- Doc 15 §6.2: Remote Call Inversion
- Doc 14 §4.1: Superoperator fusion (related — fused stubs reduce exposure windows)
Rationale
Current NATIVE_CALL exposes full plaintext operands in CPU registers for the duration of the call (Class C, acknowledged in doc 15 §11.8). Remote Call Inversion would reduce this exposure by distributing argument information across multiple call sites, making it harder for an attacker to correlate a single trace point with the full input.
Scope
Deferred to a future plan. Requires:
- Compiler changes (split call emission)
- Multiple TransitionEntry entries per logical call
- Correlation protocol between partial calls
- Analysis of which targets benefit (crypto key derivation, license checks)
Priority
Low — the current single-call model with FPE encoding and ephemeral nonces provides adequate protection for v1 targets. This is a defense-in-depth enhancement for high-sensitivity regions.
Summary
Split argument meaning across multiple native calls for crypto-sensitive targets. Instead of passing all args to a single NATIVE_CALL, decompose into multiple calls where each reveals only partial information about the full argument set.
Reference
Rationale
Current NATIVE_CALL exposes full plaintext operands in CPU registers for the duration of the call (Class C, acknowledged in doc 15 §11.8). Remote Call Inversion would reduce this exposure by distributing argument information across multiple call sites, making it harder for an attacker to correlate a single trace point with the full input.
Scope
Deferred to a future plan. Requires:
Priority
Low — the current single-call model with FPE encoding and ephemeral nonces provides adequate protection for v1 targets. This is a defense-in-depth enhancement for high-sensitivity regions.