-
Notifications
You must be signed in to change notification settings - Fork 354
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ConstantTimeEq
support for Hash
#419
base: master
Are you sure you want to change the base?
Conversation
This change looks good in code, but it seems to come with a substantial performance penalty. I'm pasting this new benchmark at the end of #[no_mangle]
#[inline(never)]
pub fn foo(hash1: &blake3::Hash, hash2: &blake3::Hash) -> bool {
hash1 == hash2
}
#[bench]
fn bench_eq(b: &mut Bencher) {
let hash1 = blake3::hash(b"foo");
let hash2 = blake3::hash(b"bar");
b.iter(|| foo(test::black_box(&hash1), test::black_box(&hash2)));
} On master I see:
On this branch I see:
31 nanoseconds might not sound like a lot, but for comparison that's almost as long as it takes to hash 64 bytes on my laptop (with AVX-512 support):
If we look at
Have you looked at these sorts of details before? Do you know if there's anything we can do differently in how we're calling
This does sound nice. If we don't end up landing this change, I might try to contribute something similar to |
The optimization barrier in The core library does include its own optimization barrier (the one from your benchmarks) that was previously available in One option that I mulled over was whether it's reasonably safe enough to use variable-time equality testing for |
Anyway, I'm happy to close this if the performance hit isn't worth the library change and Miri cleanup. |
Let's see what Cesar thinks of that PR I just put up. Also if some callers need trait compatibility with |
Is there a particular reason why the current Miri workaround doesn't just use variable-time equality, if it's not intended for use outside of testing (and not used for benchmarks)? Having a pseudo-constant-time variant in the codebase for that purpose seems like a small footgun that someone might use elsewhere unsafely. |
No particularly good reason, you're right. It might make sense to delete it, but on the other hand there's some copy-paste risk on both sides of the equation. We don't want folks to use the naive function thinking it's constant time, but we also don't want folks to think it's ok to use non-constant-time comparisons with secret values. Either way we kind of have to lean on scary comments. |
Good point overall; the only proper approach would be to nix it entirely, so hopefully your PR gets accepted! I do think that the overall risk is still greater (at least marginally) with the current workaround, especially given that the function is named Separately, good idea that |
Sorry for the delay. Looks fine to me. Merged and published |
Thanks @AaronFeickert and @cesarb. Merged! |
e0f9cad
to
8b316f0
Compare
ConstantTimeEq
support for Hash
@oconnor663: After the ongoing discussion, this has been updated to retain the existing (speedy) functionality from I think this is a useful addition, and also opens the door to adding other useful traits in the future if desired. |
8b316f0
to
6a1928a
Compare
6a1928a
to
ae57162
Compare
This PR improves the handling of constant-time equality for hashes.
It adds an optional
subtle
feature that implementsConstantTimeEq
forHash
. This trait usessubtle
functionality under the hood for the trait implementation.This also opens the door for other useful
subtle
traits elsewhere in the future.