Replaces the security mitigation added in #659 and #661 for masking-related timing variability which used an inline black_box using the recently added subtle::BlackBox newtype (see dalek-cryptography/subtle#123)
Internally BlackBox uses a volatile read by default (i.e. same strategy which was used before) or when the core_hint_black_box feature of subtle is enabled, it uses core::hint::black_box (whose documentation was recently updated to reflect the nuances of potential cryptographic use, see rust-lang/rust#126703)
This PR goes ahead and uses BlackBox for both mask and underflow_mask where previously it was only used on underflow_mask. The general pattern of bitwise masking inside a loop seems worrisome for the optimizer potentially inserting branches in the future.
Below are godbolt inspections of the generated assembly, which are free of the jns instructions originally spotted in #659/#661:
Replaces the security mitigation added in #659 and #661 for masking-related timing variability which used an inline
black_box
using the recently addedsubtle::BlackBox
newtype (see dalek-cryptography/subtle#123)Internally
BlackBox
uses a volatile read by default (i.e. same strategy which was used before) or when thecore_hint_black_box
feature ofsubtle
is enabled, it usescore::hint::black_box
(whose documentation was recently updated to reflect the nuances of potential cryptographic use, see rust-lang/rust#126703)This PR goes ahead and uses
BlackBox
for bothmask
andunderflow_mask
where previously it was only used onunderflow_mask
. The general pattern of bitwise masking inside a loop seems worrisome for the optimizer potentially inserting branches in the future.Below are godbolt inspections of the generated assembly, which are free of the
jns
instructions originally spotted in #659/#661: