Skip to content

Harden constant-time equality on arrays and slices #120

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Harden constant-time equality on arrays and slices #120

wants to merge 1 commit into from

Conversation

AaronFeickert
Copy link
Contributor

@AaronFeickert AaronFeickert commented Feb 12, 2024
edited
Loading

The current implementation of ConstantTimeEquality for arrays and slices will short-circuit if the lengths are different. This PR does a constant-time length check before the componentwise check, and then uses a constant-time BitAnd for the final result.

This still strikes me as controversial, since both the existing implementation and this update leak something about length:

  • The existing implementation leaks if the slices/arrays have different lengths, as well as the length itself via timing.
  • The updated implementation leaks only the length via timing.

This seems like at worst no improvement, and at best a reasonable improvement.

@AaronFeickert AaronFeickert force-pushed the array_ct_eq branch 2 times, most recently from ac6dee3 to 9eb91e9 Compare March 5, 2024 18:03
@AaronFeickert AaronFeickert changed the base branch from main to develop March 5, 2024 18:04
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@AaronFeickert