5 stable releases

2.2.1 Sep 28, 2019
2.1.1 Jul 31, 2019
2.0.0 Dec 13, 2018
2.0.0-pre.0 Nov 5, 2018
0.2.0 Jul 31, 2017

#7 in Cryptography

Download history 24486/week @ 2019-06-15 20010/week @ 2019-06-22 17299/week @ 2019-06-29 19086/week @ 2019-07-06 19427/week @ 2019-07-13 19904/week @ 2019-07-20 23878/week @ 2019-07-27 23347/week @ 2019-08-03 24707/week @ 2019-08-10 22781/week @ 2019-08-17 21861/week @ 2019-08-24 22344/week @ 2019-08-31 22224/week @ 2019-09-07 26955/week @ 2019-09-14 28612/week @ 2019-09-21

96,713 downloads per month
Used in 643 crates (45 directly)


325 lines


Pure-Rust traits and utilities for constant-time cryptographic implementations.

It consists of a Choice type, and a collection of traits using Choice instead of bool which are intended to execute in constant-time. The Choice type is a wrapper around a u8 that holds a 0 or 1.

This crate represents a “best-effort” attempt, since side-channels are ultimately a property of a deployed cryptographic system including the hardware it runs on, not just of software.

The traits are implemented using bitwise operations, and should execute in constant time provided that a) the bitwise operations are constant-time and b) the operations are not optimized into a branch.

To prevent the latter possibility, when using the nightly feature (recommended), the crate attempts to hide the value of a Choice's inner u8 from the optimizer, by passing it through an inline assembly block. For more information, see the About section below.

version = "2.1"
features = ["nightly"]


  • The nightly feature enables the use of an optimization barrier to protect the Choice type. Using the nightly feature is recommended for security.


Documentation is available here.


This library aims to be the Rust equivalent of Go’s crypto/subtle module.

The optimization barrier in impl From<u8> for Choice was based on Tim Maclean's work on rust-timing-shield, which attempts to provide a more comprehensive approach for preventing software side-channels in Rust code.

subtle is authored by isis agora lovecruft and Henry de Valence.


This code is a low-level library, intended for specific use-cases implementing cryptographic protocols. It represents a best-effort attempt to protect against some software side-channels. Because side-channel resistance is not a property of software alone, but of software together with hardware, any such effort is fundamentally limited.


No runtime deps