Closed cosmicexplorer closed 2 years ago
I got curious as to why subtle
doesn't have this, since it seems like they could implement it similarly, and found https://github.com/dalek-cryptography/subtle/issues/61. libsignal-protocol's implementation isn't actually lexicographic, it's length-lexicographic, and (as noted) not constant-time in that case. I'd say that tips it over the edge to being left as an implementation detail; the place for this is really subtle
(or subtle-ng
), and just because they don't have it doesn't mean we should provide our own quirky implementation.
Ok, that is exactly what I was hoping to learn from filing this (my thought was: if we're doing something very wonky, let's document it, and if we're not, let's use the more canonical thing)! I'll close this PR and see what subtle
/subtle-ng
thinks about this use case.
I am hoping to implement this in zkcrypto/subtle-ng#5!
Note: subtle-ng
is unmaintained, subtle
is the correct project.
Broken out of #287.
This key comparison method is useful to have for downstream consumers to avoid leaking timing information when comparing bytes. If downstream consumers of the
libsignal
crate wish to implement their own structs wrapping secret bytes, they now have a clearly documented example of how to implement that.