Is this library constant time?

Question

Is this library constant time?

FredericJacobs opened this issue 11 years ago · 9 comments

Answer 1 · 2014-03-08T02:10:48.000Z

If nacl is (which I think it is), and emscripten preserves that property (which I think it should), then this library will be. But I don't know for sure one way or the other.

Answer 2 · 2014-03-08T02:12:08.000Z

Isn't this something that should be investigated and tested?

Answer 3 · 2014-03-08T02:17:56.000Z

Yes please :-)

Answer 4 · 2014-03-08T02:21:55.000Z

What I meant by that is that the issue shouldn't be closed on a simple "I think it is/should" note.

Answer 5 · 2014-03-08T02:59:01.000Z

Ah, I see. I'll reopen it, as the question still stands. I'm afraid I don't have the bandwidth to look into it myself at the moment; if you can help, I'd appreciate it.

Answer 6 · 2014-08-10T04:35:09.000Z

The library should carry a prominent warning until this has been checked. It's a critical property, and usually requires special handling for a given compiler.

Answer 7 · 2014-08-10T22:25:38.000Z

When saying "constant time library", what do you mean?

If meaning is "constant time check when authenticating message" in Poly code. Then answer is yes, NaCl's comparison of vectors goes exactly the same time (constant time) irrespective of where incorrect bit is encounted.
If meaning is "(de)encryption time not dependent of message content" in Salsa code. Then answer is yes. (De)Encryption time depends only on message length.
If meaning is "immune to timing attack", then it is the same as meaning (1), and answer is, therefore, yes.

Please notice that this is all due to C code, written by original authors.

@tonyg close this issue.

Answer 8 · 2014-08-11T00:39:04.000Z

@3nsoft agreed that the C code takes particular care to ensure these properties -- however, because I haven't actually tested it yet, I can't be sure that emscripten (or, for that matter, the javascript JIT) doesn't take liberties. I'd be surprised if there was a problem, but until it has been tested, I can't be sure.

If anyone feels able to contribute a test-case showing (with high probability) that we really do enjoy constant-time bytevector comparisons, I'd love to include it.

Answer 9 · 2015-08-21T00:33:53.000Z

Yes, please include a prominent warning in the README that says that this crypto has not been thoroughly audited; that's exactly what I came here to check because it's necessary for building systems that are secure!