3 * Constant-time operations
5 * (c) 2013 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
30 #include <mLib/bits.h>
34 /*----- Main code ---------------------------------------------------------*/
36 #define MASK(a) (U32(~((a) - 1)))
38 /* --- @ct_inteq@ --- *
40 * Arguments: @uint32 x, y@ = two 32-bit unsigned integers
42 * Returns: One if @x@ and @y@ are equal, zero if they differ.
44 * Use: Answers whether two integers are equal, in constant time.
47 int ct_inteq(uint32 x, uint32 y)
51 /* --- How it works --- *
53 * Obviously, %$a$% is nonzero if and only if %$x \ne y$%. Let %$N > 0$%.
54 * Suppose that %$0 < a < N$%. Then:
56 * %$N/2 = N - N/2 \le N - (a + 1)/2 = N - a/2 - 1/2$%
57 * %${} = N - a + a/2 - 1/2 = N - a + (a - 1)/2$%
58 * %${} \le N - a + \lfloor a/2 \rfloor < N$%
60 * Consequently, if %$N = 2^{32}$% and %$a$% is nonzero, then
61 * %$a - \lfloor a/2 \rfloor$% has its top bit set. Of course, if
62 * %$a = 0$% then %$a - \lfloor a/2 \rfloor = 0$%.
66 return (U32(~a) >> 31);
69 /* --- @ct_intle@ --- *
71 * Arguments: @uint32 x, y@ = two 32-bit unsigned integers
73 * Returns: One if %$x \le y$%, zero if @x@ is greater.
75 * Use: Answers whether two integers are ordered, in constant time.
78 int ct_intle(uint32 x, uint32 y)
80 /* --- This bit's a little fiddly --- *
82 * If the top bits of @x@ and @y@ are the same then %$x \le y$% if and only
83 * if %$y - x$% has its top bit clear; otherwise, %$x \le y$% if and only
84 * if (the top bit of @x@ is clear and) the top bit of @y@ is set.
86 * This assumes we can do subtraction in constant time, which seems like a
92 uint32 a = (y&diff) | (~low&~diff);
93 return (U32(a) >> 31);
96 /* --- @ct_pick@ --- *
98 * Arguments: @uint32 a@ = a switch, either zero or one
99 * @uint32 x0, x1@ = two 32-bit unsigned integers
101 * Returns: @x0@ if @a@ is zero; @x1@ if @a@ is one. Other values of @a@
102 * will give you unhelpful results.
104 * Use: Picks one of two results according to a switch variable, in
108 int ct_pick(uint32 a, uint32 x0, uint32 x1)
109 { uint32 m = MASK(a); return (x0&~m) | (x1&m); }
111 /* --- @ct_condcopy@ --- *
113 * Arguments: @uint32 a@ = a switch, either zero or one
114 * @void *d@ = destination pointer
115 * @const void *s@ = source pointer
116 * @size_t n@ amount to copy
120 * Use: If @a@ is one then copy the @n@ bytes starting at @s@ to
121 * @d@; if @a@ is zero then leave @d@ unchanged (but it will
122 * still be written). All of this is done in constant time.
125 void ct_condcopy(uint32 a, void *d, const void *s, size_t n)
132 *dd = (*ss++&m) | (*dd&~m);
137 /* --- @ct_memeq@ ---
139 * Arguments: @const void *p, *q@ = two pointers to buffers
140 * @size_t n@ = the (common) size of the buffers
142 * Returns: One if the two buffers are equal, zero if they aren't.
144 * Use: Compares two chunks of memory, in constant time.
147 int ct_memeq(const void *p, const void *q, size_t n)
149 const octet *pp = p, *qq = q;
152 while (n--) a |= *pp++ ^ *qq++;
153 return (ct_inteq(a, 0));
156 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob