[API Proposal]: CryptographicOperations.FixedTimeIsZeros

[vcsjones]

Background and motivation

a couple of times it has come up that I needed to answer this question: I need to determine if this buffer is all zero or not, and do it in a fixed-time manner.

You can do that with something like:

CryptographicOperations.FixedTimeEquals(input, [0, 0, 0, 0, 0])

But that forces materializing some second parameter of zeros.

API Proposal

namespace System.Security.Cryptography;

public static partial class CryptographicOperations {
    [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
    public static bool FixedTimeIsZeros(ReadOnlySpan<byte> source);
}

The implementation will just accumulate bits with | and return true if the accumulated value is zero.

API Usage

bool isZeros = CryptographicOperations.FixedTimeIsZeros(someInput);

Alternative Designs

We could make this genetic against any scalar:

public static bool FixedTimeEquals(ReadOnlySpan<byte> input, byte comparer);

Which basically would just subtract the comparer from each element, then accumulate bits. This would allow to to do something like:

bool allZeros = FixedTimeEquals(input, 0);
bool allOnes = FixedTimeEquals(input, 1);

Risks

No response

[dotnet-policy-service]

Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security
See info in area-owners.md if you want to be subscribed.

[bartonjs]

I'm not sure if I like the singular or plural for Zero, but we can let the review group discuss. (00 is 0, 0000 is 0, 0000000000000000000000 is 0, so "AreAllBytesZero" is one interpretation, "is this equivalent to the number zero" is another).

Oooh, don't we have some sort of AllBitsZero somewhere? (I can't find it, so, maybe not)

What's your thought on the empty input? Your described algorithm returns true. That and throwing both make sense to me.

[vcsjones]

What's your thought on the empty input? Your described algorithm returns true. That and throwing both make sense to me.

Either are fine with me but I had intended to return true. FixedTimeEquals([], []) returns true and this feels kind of analogous to that.

don't we have some sort of AllBitsZero somewhere? (I can't find it, so, maybe not)

I don't think so. We do have one in X25519 Windows that does FixedTimeEquals(input, [0, 0, 0, ..., 0] that this will replace, if approved.

[EgorBo]

[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]

btw, for CoreCLR/NAOT NoOptimization implies NoInlining, not sure about other runtimes, though.

[bartonjs]

Re: AllBitsZero, I thought it was in generic math, answering "is this number zeroish"

[tannergooding]

FixedTimeIsAllZero?