Can anyone here with expertise on branch prediction security give insight into how the mitigation described in Section V compares to the one described in the paper linked below from ARM Research?
I didn't fully read the paper you linked, but I think at a high level the difference is this: the Exynos approach only encrypts the data stored in the branch predictor, while the Arm approach additionally encrypts the index.
The Exynos approach means that if the attacker can find a branch of its own that has a hash collision with the desired victim branch during the course of the victim's lifetime, it can still perform a cross-training attack (however, if the victim exits and is relaunched then the mapping will change and the attacker must start over). This is perhaps unlikely, but the Exynos paper only suggests as a mitigation that the OS periodically change the key, at the expense of mispredictions (see the last paragraph of Section V).
The Arm approach solves this by using a "light-weight set update mechanism" that allows the hardware to automatically change the key periodically without incurring as much overhead. I'd have to read the paper more carefully to understand exactly how it works though.
https://jlee0517.github.io/publications/taco_final.pdf