Lib.rs

Cryptography | Hardware support
#intrinsics #constant-time #conditional #cpu #move #instructions #branch

no-std cmov

Conditional move CPU intrinsics which are guaranteed to execute in constant-time and not be rewritten as branches by the compiler. Provides wrappers for the CMOV family of instructions on x86/x86_64 and CSEL on AArch64

by Tony Arcieri, RustCrypto

5 unstable releases

0.3.1 Oct 14, 2023
0.3.0 Apr 3, 2023
0.2.0 Feb 26, 2023
0.1.1 Mar 2, 2022
0.0.0 Feb 11, 2022

#2374 in Cryptography

Download history 59/week @ 2023-12-11 53/week @ 2023-12-18 7/week @ 2023-12-25 9/week @ 2024-02-12 37/week @ 2024-02-19 36/week @ 2024-02-26 82/week @ 2024-03-04 74/week @ 2024-03-11 81/week @ 2024-03-18 126/week @ 2024-03-25

366 downloads per month
Used in lockstitch

Apache-2.0 OR MIT

23KB
462 lines

RustCrypto: CMOV (Conditional Move)

Crate Docs Build Status Apache 2.0/MIT Licensed MSRV

Conditional move CPU intrinsics which are guaranteed to execute in constant-time and not be rewritten as branches by the compiler.

Provides wrappers for the CMOV family of instructions on x86/x86_64 and the CSEL instruction on AArch64 CPUs, along with a portable fallback implementation for other CPU architectures.

Documentation

About

Conditional move intrinsics provide predication which allows selection of one or more values without using branch instructions, thus making the selection constant-time with respect to the values, and not subject to CPU execution features which might introduce timing or other microarchitectural sidechannels introduced by branch prediction or other speculative execution features.

Intel has confirmed that all extant CPUs implement the CMOV family of instructions in constant-time, and that this property will hold for future Intel CPUs as well.

This crate provides wrappers for the CMOV/CSEL instructions implemented using inline assembly as stabilized in Rust 1.59. This means the implementation is a black box that will not be rewritten by e.g. LLVM's architecture-specific lowerings, such as the x86-cmov-conversion pass.

Supported target architectures

This crate provides guaranteed constant-time operation using inline assembly on the following CPU architectures:

  • x86 (CMOVZ, CMOVNZ)
  • x86_64 (CMOVZ, CMOVNZ)
  • aarch64 (CSEL)

On other target architectures, a "best effort" portable fallback implementation based on bitwise arithmetic is used instead. However, we cannot guarantee that this implementation generates branch-free code.

It's possible to extend constant-time guarantees to other CPU architectures. Please open an issue with your desired CPU architecture if this interests you.

Minimum Supported Rust Version

Rust 1.60 or newer.

In the future, we reserve the right to change MSRV (i.e. MSRV is out-of-scope for this crate's SemVer guarantees), however when we do it will be accompanied by a minor version bump.

License

Licensed under either of:

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

No runtime deps