Lib.rs

Cryptography
#constant-time #utilities #crypto #hold

no-std subtle

Pure-Rust traits and utilities for constant-time cryptographic implementations

by isis agora lovecruft, dalek-cryptography

13 stable releases

2.6.1 Jun 24, 2024
2.5.0 Feb 28, 2023
2.4.1 Jul 13, 2021
2.4.0 Dec 17, 2020
0.2.0 Jul 31, 2017

#17 in Cryptography

Download history 1706048/week @ 2024-07-30 1742821/week @ 2024-08-06 1757596/week @ 2024-08-13 1754116/week @ 2024-08-20 1712740/week @ 2024-08-27 1834349/week @ 2024-09-03 1730686/week @ 2024-09-10 1808495/week @ 2024-09-17 1914812/week @ 2024-09-24 2280061/week @ 2024-10-01 2471911/week @ 2024-10-08 2431799/week @ 2024-10-15 1998830/week @ 2024-10-22 1871886/week @ 2024-10-29 1871248/week @ 2024-11-05 1641224/week @ 2024-11-12

7,794,571 downloads per month
Used in 16,488 crates (433 directly)

BSD-3-Clause

39KB
455 lines

subtle

Pure-Rust traits and utilities for constant-time cryptographic implementations.

It consists of a Choice type, and a collection of traits using Choice instead of bool which are intended to execute in constant-time. The Choice type is a wrapper around a u8 that holds a 0 or 1.

subtle = "2.6"

This crate represents a “best-effort” attempt, since side-channels are ultimately a property of a deployed cryptographic system including the hardware it runs on, not just of software.

The traits are implemented using bitwise operations, and should execute in constant time provided that a) the bitwise operations are constant-time and b) the bitwise operations are not recognized as a conditional assignment and optimized back into a branch.

For a compiler to recognize that bitwise operations represent a conditional assignment, it needs to know that the value used to generate the bitmasks is really a boolean i1 rather than an i8 byte value. In an attempt to prevent this refinement, the crate tries to hide the value of a Choice's inner u8 by passing it through a volatile read. For more information, see the About section below.

Rust versions from 1.51 or higher have const generics support. You may enable const-generics feautre to have subtle traits implemented for arrays [T; N].

Versions prior to 2.2 recommended use of the nightly feature to enable an optimization barrier; this is not required in versions 2.2 and above.

Note: the subtle crate contains debug_asserts to check invariants during debug builds. These invariant checks involve secret-dependent branches, and are not present when compiled in release mode. This crate is intended to be used in release mode.

Documentation

Documentation is available here.

Minimum Supported Rust Version

Rust 1.41 or higher.

Minimum supported Rust version can be changed in the future, but it will be done with a minor version bump.

About

This library aims to be the Rust equivalent of Go’s crypto/subtle module.

Old versions of the optimization barrier in impl From<u8> for Choice were based on Tim Maclean's work on rust-timing-shield, which attempts to provide a more comprehensive approach for preventing software side-channels in Rust code. From version 2.2, it was based on Diane Hosfelt and Amber Sprenkels' work on "Secret Types in Rust".

subtle is authored by isis agora lovecruft and Henry de Valence.

Warning

This code is a low-level library, intended for specific use-cases implementing cryptographic protocols. It represents a best-effort attempt to protect against some software side-channels. Because side-channel resistance is not a property of software alone, but of software together with hardware, any such effort is fundamentally limited.

USE AT YOUR OWN RISK

No runtime deps