Crate cmov

Crate cmov 

Source
Expand description

§RustCrypto: CMOV (Conditional Move)

Crate Docs Build Status Apache 2.0/MIT Licensed MSRV Project Chat

Conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler.

Provides wrappers for the CMOV family of instructions on x86/x86_64 and the CSEL instruction on AArch64 CPUs, along with a portable fallback implementation for other CPU architectures.

§About

Conditional move intrinsics provide predication which allows selection of one or more values without using branch instructions, thus making the selection constant-time with respect to the values, and not subject to CPU execution features which might introduce timing or other microarchitectural sidechannels introduced by branch prediction or other speculative execution features.

This crate provides wrappers for the CMOV/CSEL instructions implemented using inline asm!, which means the implementation is a black box that will not be rewritten by e.g. LLVM’s architecture-specific lowerings, such as the x86-cmov-conversion pass.

§Supported target architectures

This crate provides guaranteed constant-time operation using inline asm! on the following CPU architectures:

  • x86 (CMOVZ, CMOVNZ)
  • x86_64 (CMOVZ, CMOVNZ)
  • arm (mask generation only)
  • aarch64 (CSEL)

On other target architectures, a “best effort” portable fallback implementation based on bitwise arithmetic is used instead, augmented with tactical usage of core::hint::black_box based on past analysis of the generated assembly. However, we cannot guarantee that this implementation generates branch-free code, especially on hypothetical future rustc versions which introduce new optimizations.

Please open an issue if you notice non-constant-time CPU instructions (e.g. branches, secret-dependent address calculations) being generated and we will treat it as a security issue and do our best to find a solution.

You can also open an issue to request first-class support for native predication instructions on other architectures we don’t currently support.

§x86 / x86_64 notes

Intel has confirmed that all extant CPUs implement the CMOV family of instructions in constant-time, and that this property will hold for future Intel CPUs as well.

§⚠️ Security Warning

The implementation contained in this crate has never been independently audited! USE AT YOUR OWN RISK!

Below are security issues this crate has experienced in the past:

§Minimum Supported Rust Version (MSRV) Policy

MSRV increases are not considered breaking changes and can happen in patch releases.

The crate MSRV accounts for all supported targets and crate feature combinations, excluding explicitly unstable features.

§License

Licensed under either of:

at your option.

§Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Traits§

Cmov
Conditional move
CmovEq
Conditional move with equality comparison

Type Aliases§

Condition
Condition