Support ConditionallySelectable for types that are not Copy #94
Comments
|
It's unclear to me what the rationale for the Looking at how |
|
If I understand correctly, Henry's stated reasoning is that allowing I'm not opposed to this reasoning. I just wonder if there's an escape hatch we could make that allows you to do this if you're very careful. |
The impl<T, const N: usize> ConditionallySelectable for [T; N]
where T: ConditionallySelectable + Copy
That is a reasonable concern. However, I do also sympathize with the concern that it may be unwise to impl |
|
Agreed. A not-great idea: make a |
|
Another option besides splitting the pub trait CtClone: Clone {}
impl<T: Copy> CtClone for T {}...and then changing
|
|
Oh, that's pretty nice. I'd be fine with that. |
|
I think a similar argument applies to which is obviously only true if the called closure runs in constant-time but there is nothing enforcing that. |
|
A big drawback of the |
|
However, changing it seems like a breaking change due to removing the supertrait bound on Currently anything that's It's the kind of thing that makes me wish we had something like Crater to see if it would break any real-world code. I think there's a real chance it might. |
|
It seems like the only way to support non- pub trait ConstantTimeClone: Clone {}
impl<T: Copy> ConstantTimeClone for T {}
pub trait ConstantTimeSelect: ConstantTimeClone {
fn ct_select(a: &Self, b: &Self, choice: Choice) -> Self;
[...]
}
impl<T: ConditionallySelectable> ConstantTimeSelect for T {
[...]
}...then |
This is an inherent function with the same type signature as `subtle::ConditionallySelectable::conditional_select`, however we can't impl the upstream trait because it has a `Copy` bound. See dalek-cryptography/subtle#94.
This is an inherent function with the same type signature as `subtle::ConditionallySelectable::conditional_select`, however we can't impl the upstream trait because it has a `Copy` bound. See dalek-cryptography/subtle#94.
|
I've been attempting to make use of I can attest the I can try to open a PR with what I've outlined above, which in theory should be a backwards compatible change as current
|
Unfortunately `BoxedUint` can't impl `subtle::ConditionallySelectable` due to a supertrait bound on `Copy`. See dalek-cryptography/subtle#94 This bound is required by `CtOption::map` and `CtOption::and_then` which are important for writing constant-time code. As a workaround which makes it still possible to leverate `CtOption`, this adds special `BoxedUint`-specialized combinators that are able to work around this issue by generating a placeholder (zero) value to pass to the provided callbacks in the event `CtOption` is none. This requires branching on the output of `CtOption` (which is unavoidable without an upstream fix in `subtle` itself), but still ensures that the provided callback function is called with a `BoxedUint` of a matching number of limbs regardless of whether the `CtOption` is some or none, which is the best we can do for now (and really quite close to what `subtle` is doing under the hood anyway).
Unfortunately `BoxedUint` can't impl `subtle::ConditionallySelectable` due to a supertrait bound on `Copy`. See dalek-cryptography/subtle#94 This bound is required by `CtOption::map` and `CtOption::and_then` which are important for writing constant-time code. As a workaround which makes it still possible to leverate `CtOption`, this adds special `BoxedUint`-specialized combinators that are able to work around this issue by generating a placeholder (zero) value to pass to the provided callbacks in the event `CtOption` is none. This requires branching on the output of `CtOption` (which is unavoidable without an upstream fix in `subtle` itself), but still ensures that the provided callback function is called with a `BoxedUint` of a matching number of limbs regardless of whether the `CtOption` is some or none, which is the best we can do for now (and really quite close to what `subtle` is doing under the hood anyway).
`ConstantTimeSelect` is intended as a replacement to `ConditionallySelectable`, which is preserved but deprecated. It replaces the previous `Copy` bound with a bound on a new `ConstantTimeClone` marker trait, which allows the trait to be impl'd for heap-allocated types. No existing impls of `ConditionallySelectable` have been removed, however a blanket impl of `ConstantTimeSelect` for `T: ConditionallySelectable` has been added, allowing the two traits to interoperate and for `ConstantTimeSelect` to work on all types which currently impl `ConditionallySelectable`. `ConstantTimeClone` likewise has a blanket impl for all types which impl `Copy`. `CtOption`'s combinator methods have been changed to bound on `ConstantTimeSelect` which unlocks using them with heap-allocated types, which otherwise is a major limitation. In theory these changes are all backwards compatible due to the blanket impl, which should allow all types which previously worked to continue to do so. Closes dalek-cryptography#63, dalek-cryptography#94
|
I went ahead and impl'd my aforementioned |
`ConstantTimeSelect` is intended as a replacement to `ConditionallySelectable`, which is preserved but deprecated. It replaces the previous `Copy` bound with a bound on a new `ConstantTimeClone` marker trait, which allows the trait to be impl'd for heap-allocated types. No existing impls of `ConditionallySelectable` have been removed, however a blanket impl of `ConstantTimeSelect` for `T: ConditionallySelectable` has been added, allowing the two traits to interoperate and for `ConstantTimeSelect` to work on all types which currently impl `ConditionallySelectable`. `ConstantTimeClone` likewise has a blanket impl for all types which impl `Copy`. `CtOption`'s combinator methods have been changed to bound on `ConstantTimeSelect` which unlocks using them with heap-allocated types, which otherwise is a major limitation. In theory these changes are all backwards compatible due to the blanket impl, which should allow all types which previously worked to continue to do so. Closes dalek-cryptography#63, dalek-cryptography#94
This is a feature request to support the trait
ConditionallySelectablefor types that are notCopy.Motivation
I have large types (e.g. polynomials of high degree) that I'd like to be conditionally selectable.
The text was updated successfully, but these errors were encountered: