[liberationtech] Trsst Encryption
Michael Rogers
michael at briarproject.org
Fri Mar 21 05:52:19 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 20/03/14 19:30, Yuriy Kaminskiy wrote:
> Note that all above variants may be NOT actually branchless and
> thus NOT really constant-time (depending on architecture, jvm
> implementation and options, etc). Most likely, resulting time
> difference won't be sufficient to be useful for attacker, but... (I
> doubt very much you can write guaranteed-constant-time code in java
> (and most other high-level languages) at all.)
Yeah it would be really nice if Java had some way to mark a block of
code "do no optimise".
> PS If you don't want to invent bicycle, there are boolean
> java.security.MessageDigest.isEqual(byte [], byte[]) method.
Thanks for the pointer. The Javadoc doesn't say whether this is a
constant-time comparison. In OpenJDK 6 it isn't. In OpenJDK 7 it does
something similar to my original suggestion. So unfortunately it seems
like this might be a case where bicycle-invention is necessary.
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b27/java/security/MessageDigest.java#MessageDigest.isEqual%28byte%5B%5D%2Cbyte%5B%5D%29
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7u40-b43/java/security/MessageDigest.java#MessageDigest.isEqual%28byte%5B%5D%2Cbyte%5B%5D%29
Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJTLDYDAAoJEBEET9GfxSfMGPkIAK5G1yzYH7G9lWCt+lTO6MGo
7/rsNWFil0k3dBlI9oVcXEV7+eo+n3DygLdYBv/XmquDjEiVHDQd8j8hpDkjUv77
dNbJzrINgvAJScVfczfPTRemMfm+nuUTePN4T/g4CLTxybBfqr+I+cumrPq9Ez0+
IpzvoUT93NfQM3Z7bPbwTWj0mdm7BQtFau9m2fnUBeh0P+Vor1i1MTW/4pb6w47+
NAAib30nTK21ja8f3vSh5uJ/NEH9jLVaEnwL3lXOpc0DU2u+Hme73zFcVSnwk3gY
u4mll9lKN1bZk/8kYgd+EU1HG2EB/z0863I1GuPE87rF1MJwSFZ4Nom4uOy7Ziw=
=1uie
-----END PGP SIGNATURE-----
More information about the liberationtech
mailing list