lib-q-hpke 0.0.4

HPKE implementation for lib-q
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

//! Constant-time operations for cryptographic security

/// Constant-time equality comparison
///
/// This function performs a constant-time comparison of two byte slices
/// to prevent timing attacks. It returns true if the slices are equal,
/// false otherwise.
pub fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
    if a.len() != b.len() {
        return false;
    }

    let mut result = 0u8;
    for (x, y) in a.iter().zip(b.iter()) {
        result |= x ^ y;
    }
    result == 0
}

/// Constant-time selection
///
/// Returns a if choice is 1, b if choice is 0.
/// Choice must be 0 or 1, otherwise behavior is undefined.
pub fn constant_time_select(choice: u8, a: u8, b: u8) -> u8 {
    let mask = 0u8.wrapping_sub(choice);
    (a & mask) | (b & !mask)
}

/// Constant-time conditional copy
///
/// If choice is 1, copies src to dst. If choice is 0, leaves dst unchanged.
/// Choice must be 0 or 1, otherwise behavior is undefined.
pub fn constant_time_copy(choice: u8, dst: &mut [u8], src: &[u8]) {
    if dst.len() != src.len() {
        return;
    }

    let mask = 0u8.wrapping_sub(choice);
    for (d, s) in dst.iter_mut().zip(src.iter()) {
        *d = (*d & !mask) | (*s & mask);
    }
}

/// Constant-time conditional swap
///
/// If choice is 1, swaps a and b. If choice is 0, leaves them unchanged.
/// Choice must be 0 or 1, otherwise behavior is undefined.
pub fn constant_time_swap(choice: u8, a: &mut [u8], b: &mut [u8]) {
    if a.len() != b.len() {
        return;
    }

    let mask = 0u8.wrapping_sub(choice);
    for (a_elem, b_elem) in a.iter_mut().zip(b.iter_mut()) {
        let temp = *a_elem;
        *a_elem = (*a_elem & !mask) | (*b_elem & mask);
        *b_elem = (*b_elem & !mask) | (temp & mask);
    }
}

/// Constant-time conditional zero
///
/// If choice is 1, zeros out the slice. If choice is 0, leaves it unchanged.
/// Choice must be 0 or 1, otherwise behavior is undefined.
pub fn constant_time_zero(choice: u8, data: &mut [u8]) {
    let mask = 0u8.wrapping_sub(choice);
    for byte in data.iter_mut() {
        *byte &= !mask;
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_constant_time_eq() {
        let a = b"hello";
        let b = b"hello";
        let c = b"world";
        let d = b"hell";

        assert!(constant_time_eq(a, b));
        assert!(!constant_time_eq(a, c));
        assert!(!constant_time_eq(a, d));
        assert!(!constant_time_eq(b"", b"a"));
    }

    #[test]
    fn test_constant_time_select() {
        assert_eq!(constant_time_select(1, 0xFF, 0x00), 0xFF);
        assert_eq!(constant_time_select(0, 0xFF, 0x00), 0x00);
    }

    #[test]
    fn test_constant_time_copy() {
        let mut dst = [0u8; 4];
        let src = [1u8, 2u8, 3u8, 4u8];

        constant_time_copy(1, &mut dst, &src);
        assert_eq!(dst, src);

        constant_time_copy(0, &mut dst, &[5u8, 6u8, 7u8, 8u8]);
        assert_eq!(dst, src); // Should be unchanged
    }

    #[test]
    fn test_constant_time_swap() {
        let mut a = [1u8, 2u8, 3u8, 4u8];
        let mut b = [5u8, 6u8, 7u8, 8u8];
        let a_orig = a;
        let b_orig = b;

        constant_time_swap(1, &mut a, &mut b);
        assert_eq!(a, b_orig);
        assert_eq!(b, a_orig);

        constant_time_swap(0, &mut a, &mut b);
        assert_eq!(a, b_orig); // Should be unchanged
        assert_eq!(b, a_orig); // Should be unchanged
    }

    #[test]
    fn test_constant_time_zero() {
        let mut data = [1u8, 2u8, 3u8, 4u8];

        constant_time_zero(1, &mut data);
        assert_eq!(data, [0u8, 0u8, 0u8, 0u8]);

        data = [1u8, 2u8, 3u8, 4u8];
        constant_time_zero(0, &mut data);
        assert_eq!(data, [1u8, 2u8, 3u8, 4u8]); // Should be unchanged
    }
}