Replaces the security mitigation added in #659 and #661 for masking-related timing variability which used an inline black_box using the recently added subtle::BlackBox newtype (see dalek-cryptography/subtle#123)
Internally BlackBox uses a volatile read by default (i.e. same strategy which was used before) or when the core_hint_black_box feature of subtle is enabled, it uses core::hint::black_box (whose documentation was recently updated to reflect the nuances of potential cryptographic use, see rust-lang/rust#126703)
This PR goes ahead and uses BlackBox for both mask and underflow_mask where previously it was only used on underflow_mask. The general pattern of bitwise masking inside a loop seems worrisome for the optimizer potentially inserting branches in the future.
Below are godbolt inspections of the generated assembly, which are free of the jns instructions originally spotted in #659/#661:
Replaces the security mitigation added in #659 and #661 for masking-related timing variability which used an inline
black_boxusing the recently addedsubtle::BlackBoxnewtype (see dalek-cryptography/subtle#123)Internally
BlackBoxuses a volatile read by default (i.e. same strategy which was used before) or when thecore_hint_black_boxfeature ofsubtleis enabled, it usescore::hint::black_box(whose documentation was recently updated to reflect the nuances of potential cryptographic use, see rust-lang/rust#126703)This PR goes ahead and uses
BlackBoxfor bothmaskandunderflow_maskwhere previously it was only used onunderflow_mask. The general pattern of bitwise masking inside a loop seems worrisome for the optimizer potentially inserting branches in the future.Below are godbolt inspections of the generated assembly, which are free of the
jnsinstructions originally spotted in #659/#661: