[Cryptography] Implementing constant-time string comparison
John Gilmore
gnu at toad.com
Wed Jun 18 14:25:30 EDT 2014
> >> static int vn(const u8 *x,const u8 *y,int n)
> >> {
> >> u32 i,d = 0;
> >> for (i = 0,i < n,++i) d |= x[i]^y[i];
> >> return (1 & ((d - 1) >> 8)) - 1;
> >> }
A bugfree C compiler, even if it could see through the return
expression's subterfuge, would be unable to shortcut the loop if the
arguments were merely declared as pointers to volatile storage (eg
volatile const u8 *x). C compilers are required to avoid
optimizations that remove, insert, or reorder accesses to volatile
variables, since such accesses are defined by the programmer to have
side-effects that accesses to normal storage locations do not. This
applies equally well to cryptanalysis-related timing side-effects as
it does to hardware registers that do odd side-things when you read or
write them.
John
More information about the cryptography
mailing list