[Cryptography] Ada vs Rust vs safer C

John Gilmore gnu at toad.com
Sun Sep 18 18:05:20 EDT 2016

Ron Garret said:
> You are right, however, that this is indeed undefined behavior,
> although I think you'd be hard pressed to find a compiler that
> actually took advantage of that fact to do anything other than do the
> math mod 2^n for some appropriate value of n.

As Florian said, GCC and Clang do take advantage, to produce faster,
smaller code for the very very common case where no overflow occurs.

If you want your addition done mod 2^n, declare your variables
"unsigned".  Unsigned arithmetic has well defined, portable behavior
in C.  If you declare them as signed integers, the program's behavior
at overflow is undefined.

Two's complement arithmetic is very convenient for hardware, but has
some counterintuitive mathematical properties at the margins.  The C
language is designed to let the obvious hardware instructions be used
for its constructs, so it classes those edge cases as undefined
behavior (that indeed may vary from one machine architecture to

This design decision was better for execution speed than for software
reliability.  In future revisions of the C standard, someone should
argue that maybe we have enough execution speed now but not enough
software reliability.  So maybe the language should evolve in a way
that defines these edge cases (and requires slower code on some
oddball architectures).  C is a living language and it does evolve.


More information about the cryptography mailing list