Is this library constant time?

[tonyg]

If nacl is (which I think it is), and emscripten preserves that property (which I think it should), then this library will be. But I don't know for sure one way or the other.

[FredericJacobs]

Isn't this something that should be investigated and tested?

[tonyg]

Yes please :-)

[FredericJacobs]

What I meant by that is that the issue shouldn't be closed on a simple "I think it is/should" note.

[tonyg]

Ah, I see. I'll reopen it, as the question still stands. I'm afraid I don't have the bandwidth to look into it myself at the moment; if you can help, I'd appreciate it.

[cwillu]

The library should carry a prominent warning until this has been checked. It's a critical property, and usually requires special handling for a given compiler.

[3nsoft]

When saying "constant time library", what do you mean?

1) If meaning is "constant time check when authenticating message" in Poly code. Then answer is yes, NaCl's comparison of vectors goes exactly the same time (constant time) irrespective of where incorrect bit is encounted.

2) If meaning is "(de)encryption time not dependent of message content" in Salsa code. Then answer is yes. (De)Encryption time depends only on message length.

3) If meaning is "immune to timing attack", then it is the same as meaning (1), and answer is, therefore, yes.

Please notice that this is all due to C code, written by original authors.

@tonyg close this issue.

[tonyg]

@3nsoft agreed that the C code takes particular care to ensure these properties -- however, because I haven't actually tested it yet, I can't be sure that emscripten (or, for that matter, the javascript JIT) doesn't take liberties. I'd be surprised if there was a problem, but until it has been tested, I can't be sure.

If anyone feels able to contribute a test-case showing (with high probability) that we really do enjoy constant-time bytevector comparisons, I'd love to include it.

[elimisteve]

Yes, please include a prominent warning in the README that says that this crypto has not been thoroughly audited; that's exactly what I came here to check because it's necessary for building systems that are secure!