Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign upAnnotate blocks that must run in constant time regardless of inputs #847
Comments
steveklabnik
referenced this issue
Feb 14, 2015
Closed
Annotate blocks that must run in constant time regardless of inputs #9859
steveklabnik
added
the
A-enhancement
label
Feb 14, 2015
This comment has been minimized.
This comment has been minimized.
hauleth
commented
Aug 19, 2015
|
I think that it could be done via wrapper like |
burdges
referenced this issue
Feb 19, 2016
Closed
Replace crypto/cipher/e_chacha20poly1305.c with Rust code #84
steveklabnik
referenced this issue
Dec 9, 2016
Open
Include constant time integer operation inside core #1814
This comment has been minimized.
This comment has been minimized.
|
The constant-time discipline can be enforced at source level without language changes, by taking advantage of lifetime parametricity. See #1814 (comment). Providing the needed constant-time primitives in a way that avoids unsafe LLVM optimizations is a separate problem that needs to be addressed, but assuming those primitives can be provided, this allows you to guarantee that you’re combining them in safe ways. It’s probably sufficient to write the primitives in inline assembly. |
This comment has been minimized.
This comment has been minimized.
briansmith
commented
Jan 17, 2017
|
I suggest that this RFC be closed. In actual crypto code, operations on secret values that need to be constant time are interleaved with operations on non-secret values that do not need to be constant time. We want the optimizer to fully optimize the operations on non-secret data while only doing safe optimizations on the code that manipulates secret data. Accordingly, it's better to focus effort on annotations at the value level, not the code block level. |
Centril
added
the
T-lang
label
Feb 23, 2018
petrochenkov
removed
the
A-enhancement
label
Feb 24, 2018
This comment has been minimized.
This comment has been minimized.
|
@briansmith is there an rfc issue for the "annotations at the value level" discussion ? |
This comment has been minimized.
This comment has been minimized.
|
Nothing that I could find. |
This comment has been minimized.
This comment has been minimized.
|
Closing in favor of #2533. |
steveklabnik commentedFeb 14, 2015
Tuesday Oct 15, 2013 at 00:03 GMT
For earlier discussion, see rust-lang/rust#9859
This issue was labelled with: A-llvm in the Rust repository
In a whole bunch of security-related contexts it's important to write code that runs in constant time regardless of input; the obvious example is that if you compare two strings character-by-character for equality and break out of the loop when you hit the first difference, someone might learn how much of their forged authentication token (for example) was correct by measuring the time it took to fail.
Constant-time code requires careful programming, but in the general case it also requires compiler support -- at minimum, it has to be possible to disable optimizations that would convert
a|btoa||bin the name of speed, or similar. Ideally, though, the compiler would verify that an annotated block would execute in constant time, and fail the compilation if it was impossible to guarantee that of the generated code.I think the natural way to expose this in Rust is a
#[constant_time]annotation that could be applied to blocks. Most of the heavy lifting, however, probably needs to be done in the LLVM core.