subtle status #148
Description
subtle has a number of problematic limitations for our use in @RustCrypto, namely it lacks const fn support and has Copy bounds which preclude using traits like ConditionallySelectable (and with it the CtOption type) on heap-allocated types, which are important for algorithms like DSA, RSA, and SRP.
To make const fn support and heap-allocated types work we ended up writing a nearly full-featured subtle replacement inside of crypto-bigint, which I recently extracted out into the ctutils crate and migrated crypto-bigint onto:
https://github.com/RustCrypto/utils/tree/master/ctutils
Selection/predication and equality testing in ctutils are implemented in terms of asm! on x86(_64) and aarch64 to emit instructions like CMOV/CSEL that cannot be rewritten by codegen backends like LLVM. Sidechannel analysis measurements we performed on the rsa crate showed reduced timing variability after we migrated to ctutils.
However, since ff/group use subtle, we have opted to keep the public facing API of the https://github.com/RustCrypto/elliptic-curves crates implemented in terms of subtle.
I proposed upstreaming the improvements in ctutils into subtle and really only got as far as doing some basic maintenance.
Ideally subtle itself would get revived, however if that doesn't happen perhaps improvements could instead be made to subtle-ng? Or perhaps you could adopt ctutils wholesale.
I'm happy to go whatever direction and if we wind up with a modern subtle-alike with feature parity with ctutils, I would be happy to retire ctutils and migrate everything to that. Ideally I'd like to make a decision in the next month or two so we can begin our next breaking stable release series of @RustCrypto crates. Some numbered options:
- Get breaking changes into the
subtlecrate - Make those same changes, but to the
subtle-ngcrate, and migrate to that - Migrate to the
ctutilscrate - Do nothing and continue using
subtlein its current form