Skip to content

[WIP] ctutils: constant-time selection and equality testing #1243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
tarcieri wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

[WIP] ctutils: constant-time selection and equality testing #1243

tarcieri wants to merge 1 commit into from

Conversation

@tarcieri
Copy link
Member

@tarcieri tarcieri commented Oct 28, 2025

(for lack of a better name)

This is woefully incomplete but I'm pushing it up anyway since several people have asked about const fn support for subtle.

This is effectively a rewrite of subtle using the cmov crate for both constant-time selection/predication as well as equality comparisons. The cmov crate uses architecture-specific predication instructions on x86(_64) and ARM, with a portable "best effort" fallback.

It uses core::hint::black_box on-access as an optimization barrier, however this is a belt-and-suspenders defense paired with the use of intrinsics where available. This is a bit different than subtle which uses a similar black box optimization barrier at initialization time. There are a couple problems with this approach:

  1. The optimizer can assume the value is unchanged after repeat accesses to the same Choice, which means it could potentially insert a branch to e.g. shortcut-on-zero
  2. black_box is (rather annoyingly) only const fn in Rust 1.86. This is targeting an initial MSRV of 1.85, as well as supporting const fn constructors for Choice which are a big missing piece in subtle right now

I'm not intending to replace our usages of subtle with this yet (I'd much rather ship everything), but would like to have a testbed for using cmov for constant-time operations which can perhaps inform a potential subtle v3.0 (if I can make that happen).

To be useful, this still needs an equivalent of CtOption (ideally with much more const fn support), which I was hoping to implement before pushing this up.

One thing we could consider is trying to get this complete enough to use in crypto-bigint to replace ConstChoice/ConstCtOption, though it would likely need all of the methods on Choice to be const fn, which would probably involve shipping Choice without black_box (i.e. what crypto-bigint is already doing), and then adding a subtle integration for converting ctutil::Choice -> subtle::Choice and a prospective ctutil::CtOption -> subtle::CtOption.

cc @andrewwhitehead @fjarri @ycscaly

tarcieri
tarcieri commented Oct 28, 2025
View reviewed changes
tarcieri
tarcieri commented Oct 28, 2025
View reviewed changes
tarcieri
tarcieri commented Oct 28, 2025
View reviewed changes
@tarcieri tarcieri mentioned this pull request Oct 28, 2025
Open
tarcieri
tarcieri commented Oct 28, 2025
View reviewed changes
@fjarri
Copy link

fjarri commented Oct 28, 2025

So why not just bump the MSRV to 1.86?

@tarcieri
Copy link
Member Author

tarcieri commented Oct 28, 2025
edited
Loading

@fjarri we're trying to ship everything as 1.85 so it can be packaged on Debian stable, then bumping MSRV after that (now that there's an MSRV-aware resolver)

That said, there are several places post-1.85 features would be nice in crypto-bigint, particularly inference for const-generic trait parameters.

@tarcieri tarcieri force-pushed the ctutils branch 4 times, most recently from 94bc9dd to 26193d0 Compare December 18, 2025 04:37
@tarcieri
[WIP] ctutils: constant-time selection and equality testing
e96e560 
Inspired by the `subtle` crate, this is a next-generation constant time
utility crate built on the `cmov` crate's constant-time
selection/predication and equality comparisons.

It proactively uses `const fn` wherever possible.

Additionally, it uses `black_box` as a "best effort" optimization
barrier whenever accessing its constant time conditional type (called
`Choice` as in `subtle`), providing an additional line of defense
against possible future compiler optimizations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@fjarri fjarri fjarri left review comments

@andrewwhitehead andrewwhitehead andrewwhitehead left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tarcieri @fjarri @andrewwhitehead