A fun case study I just encountered...
here is some C code https://godbolt.org/z/FzRm5h
here is an attempt to translate that code into Rust https://godbolt.org/z/HCFmjy
now with more jump instructions
Let's talk about code quality in cryptographic implementations. A lot of people in this thread say that the code in question is terrible but noone offers a convincing reason. Moreover, this is not constructive. https://twitter.com/isislovecruft/status/1153829390138171392- Tim Ruffing (@real_or_random)
Your Rust code is much different than the C code. Rewrite your Rust code using
usize instead of
bool and it may do the right thing.
in particular, you're using short-circuiting
|| in the Rust code, instead of non-short-circuiting
| in the C code.
That said, I wouldn't use
>, etc. in C either
yeah, we already did that
and it appears to be constant time
Nice. Lucky that LLVM hasn't gotten around to optimizing that the wrong way yet.
Interestingly, there are passes in LLVM that do optimize similar things a bad way, recognizing patterns for constant-time conditionals and converting them into non-constant-time conditionals, with the goal (I think) of having the auto-vectorizer convert them into SIMD conditionals that accidentally happen to be constant time.
...but, when the auto-vectorization doesn't happen, it ends up using the non-constant-time scalar version of the code.