crypto/subtle: simplify and speed up constant-time primitives

This changes improves the ConstantTimeByteEq and ConstantTimeEq primitives to both simplify them and improve their performance. Also, since there were no benchmarks for this package before, this change adds benchmarks for ConstantTimeByteEq, ConstantTimeEq, and ConstantTimeLessOrEq. benchmarks on darwin/amd64, 10 runs on old vs new code: name old time/op new time/op delta ConstantTimeByteEq-4 2.28ns ±16% 1.53ns ± 2% -33.09% (p=0.000 n=10+9) ConstantTimeEq-4 2.77ns ±10% 1.51ns ± 2% -45.59% (p=0.000 n=10+9) ConstantTimeLessOrEq-4 1.52ns ± 8% 1.50ns ± 2% ~ (p=0.866 n=9+9) Change-Id: I29b8cbcf158e1f30411720db82d38b4ecd166b15 Reviewed-on: https://go-review.googlesource.com/45310Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>

crypto/subtle: simplify and speed up constant-time primitives
This changes improves the ConstantTimeByteEq and ConstantTimeEq primitives to both simplify them and improve their performance. Also, since there were no benchmarks for this package before, this change adds benchmarks for ConstantTimeByteEq, ConstantTimeEq, and ConstantTimeLessOrEq. benchmarks on darwin/amd64, 10 runs on old vs new code: name old time/op new time/op delta ConstantTimeByteEq-4 2.28ns ±16% 1.53ns ± 2% -33.09% (p=0.000 n=10+9) ConstantTimeEq-4 2.77ns ±10% 1.51ns ± 2% -45.59% (p=0.000 n=10+9) ConstantTimeLessOrEq-4 1.52ns ± 8% 1.50ns ± 2% ~ (p=0.866 n=9+9) Change-Id: I29b8cbcf158e1f30411720db82d38b4ecd166b15 Reviewed-on: https://go-review.googlesource.com/45310Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
d58bf64d · Bryan A Ford · Brad Fitzpatrick · a1088483 · d58bf64d · d58bf64d
Commit d58bf64d authored Jun 10, 2017 by Bryan A Ford Committed by Brad Fitzpatrick Nov 10, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 14 deletions

constant_time.go src/crypto/subtle/constant_time.go +2 -14

constant_time_test.go src/crypto/subtle/constant_time_test.go +32 -0

No files found.
--- a/src/crypto/subtle/constant_time.go
+++ b/src/crypto/subtle/constant_time.go
@@ -29,24 +29,12 @@ func ConstantTimeSelect(v, x, y int) int { return ^(v-1)&x | (v-1)&y }

 // ConstantTimeByteEq returns 1 if x == y and 0 otherwise.
 func ConstantTimeByteEq(x, y uint8) int {
-	z := ^(x ^ y)
-	z &= z >> 4
-	z &= z >> 2
-	z &= z >> 1
-
-	return int(z)
+	return int((uint32(x^y) - 1) >> 31)
 }

 // ConstantTimeEq returns 1 if x == y and 0 otherwise.
 func ConstantTimeEq(x, y int32) int {
-	z := ^(x ^ y)
-	z &= z >> 16
-	z &= z >> 8
-	z &= z >> 4
-	z &= z >> 2
-	z &= z >> 1
-
-	return int(z & 1)
+	return int((uint64(uint32(x^y)) - 1) >> 63)
 }

 // ConstantTimeCopy copies the contents of y into x (a slice of equal length)

--- a/src/crypto/subtle/constant_time_test.go
+++ b/src/crypto/subtle/constant_time_test.go
@@ -125,3 +125,35 @@ func TestConstantTimeLessOrEq(t *testing.T) {
 		}
 	}
 }
+
+var benchmarkGlobal uint8
+
+func BenchmarkConstantTimeByteEq(b *testing.B) {
+	var x, y uint8
+
+	for i := 0; i < b.N; i++ {
+		x, y = uint8(ConstantTimeByteEq(x, y)), x
+	}
+
+	benchmarkGlobal = x
+}
+
+func BenchmarkConstantTimeEq(b *testing.B) {
+	var x, y int
+
+	for i := 0; i < b.N; i++ {
+		x, y = ConstantTimeEq(int32(x), int32(y)), x
+	}
+
+	benchmarkGlobal = uint8(x)
+}
+
+func BenchmarkConstantTimeLessOrEq(b *testing.B) {
+	var x, y int
+
+	for i := 0; i < b.N; i++ {
+		x, y = ConstantTimeLessOrEq(x, y), x
+	}
+
+	benchmarkGlobal = uint8(x)
+}