Uses old Rust 2015
#10 in #bit-manipulation
Used in 5 crates (2 directly)
Pure-Rust traits and utilities for constant-time cryptographic implementations.
It consists of a
Choice type, and a collection of traits using
bool which are intended to execute in constant-time. The
type is a wrapper around a
u8 that holds a
subtle = "2.4"
This crate represents a “best-effort” attempt, since side-channels are ultimately a property of a deployed cryptographic system including the hardware it runs on, not just of software.
The traits are implemented using bitwise operations, and should execute in constant time provided that a) the bitwise operations are constant-time and b) the bitwise operations are not recognized as a conditional assignment and optimized back into a branch.
For a compiler to recognize that bitwise operations represent a conditional
assignment, it needs to know that the value used to generate the bitmasks is
really a boolean
i1 rather than an
i8 byte value. In an attempt to
prevent this refinement, the crate tries to hide the value of a
u8 by passing it through a volatile read. For more information, see
the About section below.
Versions prior to
2.2 recommended use of the
nightly feature to enable an
optimization barrier; this is not required in versions
2.2 and above.
subtle crate contains
debug_asserts to check invariants during
debug builds. These invariant checks involve secret-dependent branches, and
are not present when compiled in release mode. This crate is intended to be
used in release mode.
Documentation is available here.
Minimum Supported Rust Version
Rust 1.41 or higher.
Minimum supported Rust version can be changed in the future, but it will be done with a minor version bump.
This library aims to be the Rust equivalent of Go’s
The optimization barrier in
impl From<u8> for Choice was based on Tim
Maclean's work on
rust-timing-shield, which attempts to
provide a more comprehensive approach for preventing software side-channels in
subtle is authored by isis agora lovecruft and Henry de Valence.
This code is a low-level library, intended for specific use-cases implementing cryptographic protocols. It represents a best-effort attempt to protect against some software side-channels. Because side-channel resistance is not a property of software alone, but of software together with hardware, any such effort is fundamentally limited.
USE AT YOUR OWN RISK