amaters-core 0.2.2

Core kernel for AmateRS - Fully Homomorphic Encrypted Database
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

//! Constant-time comparison and selection primitives.

/// Constant-time equality comparison of two byte slices.
///
/// # Example
///
/// ```
/// use amaters_core::crypto::constant_time::constant_time_eq;
///
/// let a = b"secret_token_abc";
/// let b_eq = b"secret_token_abc";
/// let c = b"different_token!";
///
/// assert!(constant_time_eq(a, b_eq));
/// assert!(!constant_time_eq(a, c));
/// ```
#[inline]
pub fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
    if a.len() != b.len() {
        return false;
    }
    let mut diff: u8 = 0;
    for (x, y) in a.iter().zip(b.iter()) {
        diff |= x ^ y;
    }
    diff == 0
}

/// Constant-time byte selection.
///
/// Returns `a` if `choice` is non-zero; returns `b` if `choice == 0`.
#[inline]
pub fn constant_time_select(choice: u8, a: u8, b: u8) -> u8 {
    // Normalise to exactly 0 or 1 so wrapping_neg produces a full 0x00/0xFF mask.
    let bit = choice.min(1);
    let mask = (bit as i8).wrapping_neg() as u8;
    (mask & a) | (!mask & b)
}

/// Constant-time slice selection.
///
/// Writes `a` into `out` if `choice` is non-zero; writes `b` into `out` if `choice == 0`.
pub fn constant_time_select_slice(choice: u8, a: &[u8], b: &[u8], out: &mut [u8]) {
    assert_eq!(a.len(), b.len(), "a and b must have equal length");
    assert_eq!(a.len(), out.len(), "out must have same length as a and b");
    // Normalise to exactly 0 or 1 so wrapping_neg produces a full 0x00/0xFF mask.
    let bit = choice.min(1);
    let mask = (bit as i8).wrapping_neg() as u8;
    for ((ai, bi), oi) in a.iter().zip(b.iter()).zip(out.iter_mut()) {
        *oi = (mask & ai) | (!mask & bi);
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::time::Instant;

    #[test]
    fn test_constant_time_eq_identical() {
        assert!(constant_time_eq(b"", b""));
        assert!(constant_time_eq(b"hello world", b"hello world"));
        let v: Vec<u8> = (0u8..=255).collect();
        assert!(constant_time_eq(&v, &v.clone()));
    }

    #[test]
    fn test_constant_time_eq_different_content() {
        assert!(!constant_time_eq(b"hello", b"world"));
        assert!(!constant_time_eq(b"aaa", b"aab"));
        let mut a = vec![0u8; 64];
        let mut b = vec![0u8; 64];
        b[0] = 1;
        assert!(!constant_time_eq(&a, &b));
        a[63] = 1;
        b[0] = 0;
        assert!(!constant_time_eq(&a, &b));
    }

    #[test]
    fn test_constant_time_eq_different_length() {
        assert!(!constant_time_eq(b"abc", b"ab"));
        assert!(!constant_time_eq(b"", b"a"));
        assert!(!constant_time_eq(b"a", b""));
    }

    #[test]
    fn test_constant_time_select_byte() {
        assert_eq!(constant_time_select(1, 0xAA, 0xBB), 0xAA);
        assert_eq!(constant_time_select(0, 0xAA, 0xBB), 0xBB);
        assert_eq!(constant_time_select(2, 0xAA, 0xBB), 0xAA);
    }

    #[test]
    fn test_constant_time_select_slice() {
        let a = [0xAAu8; 8];
        let b = [0xBBu8; 8];
        let mut out = [0u8; 8];
        constant_time_select_slice(1, &a, &b, &mut out);
        assert_eq!(out, a);
        constant_time_select_slice(0, &a, &b, &mut out);
        assert_eq!(out, b);
    }

    #[test]
    fn test_constant_time_eq_timing_ratio() {
        let a = vec![0u8; 1024];
        let b_eq = vec![0u8; 1024];
        let mut b_diff = vec![0u8; 1024];
        b_diff[0] = 1;

        let n = 10_000usize;

        let t_eq = {
            let start = Instant::now();
            for _ in 0..n {
                let _ = constant_time_eq(&a, &b_eq);
            }
            start.elapsed()
        };

        let t_diff = {
            let start = Instant::now();
            for _ in 0..n {
                let _ = constant_time_eq(&a, &b_diff);
            }
            start.elapsed()
        };

        let ratio = t_diff.as_nanos() as f64 / t_eq.as_nanos().max(1) as f64;
        assert!(
            ratio > 0.2 && ratio < 5.0,
            "timing ratio {ratio:.2} suggests non-constant-time behavior (t_eq={t_eq:?}, t_diff={t_diff:?})"
        );
    }
}