[Cryptography] Implementing constant-time string comparison
Anton Titov
anton at titov.net
Wed Jun 18 03:48:51 EDT 2014
On 18.06.2014 01:07, Steve Weis wrote:
> I had not considered the (d == 0) comparison as potential timing leak,
> but think there is probably a good reason NaCl is using it.
>
>
I think the motivation to use complicated calculation rather than just
(d==0) comparison is not to ease the compiler. If the compiler knows you
are looking for any non-zero result from the xor operation, it may
decide to add jnz (conditional jump) after the xor instruction and break
your constant-time efforts. Inserting yet another conditional in a tight
loop might seem counter-productive, but I've seen tight loops like this
vectorized as SIMD instructions (on high optimization levels, when you
instruct the compiler that the target is a modern processor) and the
loop gets not-so-tight.
More information about the cryptography
mailing list