Support ConditionallySelectable for types that are not Copy

Question

Support ConditionallySelectable for types that are not Copy

haslersn opened this issue 2 years ago · 12 comments

haslersn commented 2 years ago

This is a feature request to support the trait ConditionallySelectable for types that are not Copy.

Motivation

I have large types (e.g. polynomials of high degree) that I'd like to be conditionally selectable.

Answer 1 · 2022-07-21T17:26:21.000Z

It's unclear to me what the rationale for the Copy bound even is.

Looking at how subtle uses it, AFAICT it's only used by conditional_swap. Questions of breaking changes aside, it looks like the bound could potentially be moved to that method only.

Answer 2 · 2022-10-11T17:24:17.000Z

Copy can also appear in conditional_select, like in this code that implements ConditionallySelectable for all fixed-size arrays.

If I understand correctly, Henry's stated reasoning is that allowing Clone types gives people too much leeway in their impls, allowing them to possibly do a clone() whose timing leaks bits about the data.

I'm not opposed to this reasoning. I just wonder if there's an escape hatch we could make that allows you to do this if you're very careful.

Answer 3 · 2022-10-11T17:48:26.000Z

Copy can also appear in conditional_select, like in this code that implements ConditionallySelectable for all fixed-size arrays.

The Copy bound could potentially be moved to that impl, e.g.

impl<T, const N: usize> ConditionallySelectable for [T; N]
where T: ConditionallySelectable + Copy

If I understand correctly, Henry's #56 is that allowing Clone types gives people too much leeway in their impls, allowing them to possibly do a clone() whose timing leaks bits about the data.

That is a reasonable concern. Copy should always be constant-time, whereas Clone admits a sharp edge.

However, I do also sympathize with the concern that it may be unwise to impl Copy on very large types. Personally I tend to use the size of an x86 cache line (64-bytes) as my personal rule of thumb for a boundary after which one should consider if types are too large to impl Copy.

Answer 4 · 2022-10-11T18:15:30.000Z

Agreed. A not-great idea: make a trait SafeConditionallySelectable: Copy and then make trait ConditionallySelectable unconstrainted. That way people can still write generics relying on ConditionallySelectable. And it'd be the case that SafeConditionallySelectable is always ConditionallySelectable. Downsides: this changes the meanings of pre-existing terms, doesn't remove the footgun, and requires a major version release.

Answer 5 · 2022-10-11T18:19:37.000Z

Another option besides splitting the ConditionallySelectable trait would be adding a marker trait like:

pub trait CtClone: Clone {}

impl<T: Copy> CtClone for T {}

...and then changing ConditionallySelectable to be bound on CtClone.

CtClone would be a marker trait which means "I assert my Clone impl is constant-time".

Answer 6 · 2022-10-11T18:28:00.000Z

Oh, that's pretty nice. I'd be fine with that.

Answer 7 · 2023-04-04T07:56:00.000Z

I think a similar argument applies to CtOption::map (and and_then, or_else).
The code has a comment:

    /// This operates in constant time, because the provided closure
    /// is always called.

which is obviously only true if the called closure runs in constant-time but there is nothing enforcing that.

Answer 8 · 2023-04-27T00:14:32.000Z

A big drawback of the Copy bound is it makes it impossible to implement ConditionallySelectable for heap allocated types, e.g. a heap-backed big integer.

Answer 9 · 2023-04-27T00:31:10.000Z

However, changing it seems like a breaking change due to removing the supertrait bound on Copy.

Currently anything that's ConditionallySelectable can be assumed to be Copy via that supertrait bound. Removing it might require changing bounds in existing code to ConditionallySelectable + Copy.

It's the kind of thing that makes me wish we had something like Crater to see if it would break any real-world code. I think there's a real chance it might.

Answer 10 · 2023-04-27T17:35:56.000Z

It seems like the only way to support non-Copy types without breaking changes would be to define a new trait and use a blanket impl for backwards compatibility. Something like:

pub trait ConstantTimeClone: Clone {}

impl<T: Copy> ConstantTimeClone for T {}

pub trait ConstantTimeSelect: ConstantTimeClone {
    fn ct_select(a: &Self, b: &Self, choice: Choice) -> Self;

    [...]
}

impl<T: ConditionallySelectable> ConstantTimeSelect for T {
    [...]
}

...then ConditionallySelectable could potentially be deprecated.

Answer 11 · 2023-11-28T14:01:52.000Z

I've been attempting to make use of subtle with heap-allocated BoxedInteger/BoxedResidue types, with the goal of using those to implement the rsa and dsa crates.

I can attest the Copy bound becomes a major impediment in these cases, because without ConditionallySelectable the CtOption combinators don't work, which IMO is one of subtle's best features for writing constant-time code.

I can try to open a PR with what I've outlined above, which in theory should be a backwards compatible change as current ConditionallySelectable users can leverage the new trait via the blanket impl (though it should likely be deprecated).

CtOption will need to be changed to use the new trait, which again shouldn't be breaking due to the blanket impl. #63 will also likely need to be addressed for my use cases to work, as we need to ensure fixed-but-dynamic precisions are consistent throughout, and Default will return a value with a number of limbs smaller than e.g. an RSA modulus.

Answer 12 · 2023-11-29T21:40:37.000Z

I went ahead and impl'd my aforementioned ConstantTimeSelect trait idea here: #118