ct

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 16, 2026 License: Apache-2.0 Imports: 3 Imported by: 0

README

Constant-Time Helpers

Package ct provides constant-time operations for cryptographic implementations, helping to prevent timing-based side-channel attacks.

Overview

This package offers constant-time primitives for:

  • Integer operations: comparisons, selection, min/max, and arithmetic operations on signed and unsigned integers
  • Byte slice operations: comparison, XOR, AND, OR, and NOT operations
  • Conditional operations: constant-time selection, assignment, swapping, and negation
  • Choice type: a constant-time boolean for use in cryptographic code

All operations are designed to execute in time independent of their inputs, making them suitable for cryptographic applications where timing leaks could expose sensitive data.

Key Types

  • Choice: A constant-time boolean type (0 or 1)
  • Interfaces: Comparable, Equatable, ConditionallySelectable, ConditionallyAssignable, ConditionallyNegatable

Usage

Use this package when implementing cryptographic algorithms that require resistance to timing attacks. All comparison and conditional operations are designed to avoid data-dependent branching and maintain constant execution time.

Documentation

Overview

Package ct provides constant-time operations for cryptographic implementations, helping to prevent timing-based side-channel attacks.

See README.md for details.

Index

Constants

View Source 
const (
	Zero Choice = 0
	One  Choice = 1

	False Bool = 0
	True  Bool = 1
)

Variables

This section is empty.

Functions

func AndBytes 

func AndBytes[T ~[]byte](dst, x, y T) int

AndBytes computes the bitwise AND of two byte slices and stores the result in dst. panics if dst is smaller than either x or y.

func CMOVInt 

func CMOVInt[I constraints.Integer](dst *I, yes Choice, src *I)

CMOVInt sets *dst = *src iff yes==1; otherwise leaves *dst unchanged.

func CMOVInts 

func CMOVInts[S ~[]I, I constraints.Integer](dst, src S, yes Choice)

CMOVInts does: dst[i] = src[i] iff yes==1; otherwise dst[i] unchanged. Panics if lengths differ.

func CSelectInt 

func CSelectInt[I constraints.Integer](choice Choice, x0, x1 I) I

CSelectInt returns x0 if choice == 0 and x1 if choice == 1. Undefined for other values of choice. It supports both signed and unsigned integer types.

func CSelectInts 

func CSelectInts[S ~[]E, E constraints.Integer](choice Choice, x0, x1 S) S

CSelectInts yields x1 if choice == 1, x0 if choice == 0. Its behaviour is undefined if choice takes any other value.

func CSwapInt 

func CSwapInt[I constraints.Integer](x, y *I, yes Choice)

CSwapInt swaps *x and *y iff yes==1; otherwise leaves them unchanged.

func CSwapInts 

func CSwapInts[S ~[]I, I constraints.Integer](x, y S, yes Choice)

CSwapInts swaps x[i] and y[i] iff yes==1; otherwise unchanged. Panics if lengths differ.

func Isqrt64 

func Isqrt64(n uint64) uint64

Isqrt64 computes floor(sqrt(n)) for a 64-bit n in constant time. Uses binary search with 32 iterations to ensure constant time execution.

func Max 

func Max[T constraints.Integer](a, b T) T

Max returns the larger of a and b in constant time.

func Min 

func Min[T constraints.Integer](a, b T) T

Min returns the smaller of a and b in constant time.

func NotBytes 

func NotBytes[T ~[]byte](dst, x T) int

NotBytes computes the bitwise NOT of a byte slice and stores the result in dst. panics if dst is smaller than x.

func OrBytes 

func OrBytes[T ~[]byte](dst, x, y T) int

OrBytes computes the bitwise OR of two byte slices and stores the result in dst. panics if dst is smaller than either x or y.

func XorBytes 

func XorBytes[T ~[]byte](dst, x, y T) int

XorBytes computes the bitwise XOR of two byte slices and stores the result in dst. panics if dst is smaller than either x or y.

Types

type Bool 

type Bool = Choice

func CompareBytes 

func CompareBytes[T ~[]byte](x, y T) (lt, eq, gt Bool)

CompareBytes is the constant-time counterpart of bytes.Compare. Lexicographic: first differing byte decides; if one is a prefix, the shorter slice is smaller.

func CompareInt 

func CompareInt[I constraints.Integer](x, y I) (gt, eq, lt Bool)

CompareInt compares x and y and returns (gt, eq, lt) where each is 1 or 0.

type Choice 

type Choice uint64

Choice represents a constant-time boolean choice.

func Equal 

func Equal[I constraints.Integer](x, y I) Choice

Equal returns 1 if x == y and 0 otherwise.

func Greater 

func Greater[I constraints.Integer](x, y I) Choice

Greater returns 1 iff x > y, using the natural order of I.

func GreaterOrEqual 

func GreaterOrEqual[I constraints.Integer](x, y I) Choice

GreaterOrEqual returns 1 iff x >= y.

func IsZero 

func IsZero[I constraints.Integer](x I) Choice

IsZero returns 1 if x == 0 and 0 otherwise.

func Less 

func Less[I constraints.Integer](x, y I) Choice

Less returns 1 iff x < y.

func LessI64 

func LessI64(x, y int64) Choice

LessI64 returns 1 iff x < y for int64 values.

func LessOrEqual 

func LessOrEqual[I constraints.Integer](x, y I) Choice

LessOrEqual returns 1 iff x <= y.

func LessU64 

func LessU64(x, y uint64) Choice

LessU64 returns 1 iff x < y for uint64 values.

func SliceEachEqual 

func SliceEachEqual[S ~[]I, I constraints.Integer](s S, e I) Choice

SliceEachEqual returns 1 if all values of s are equal to e and returns 0 otherwise. Based on the subtle package.

func SliceEqual 

func SliceEqual[S ~[]I, I constraints.Integer](x, y S) Choice

SliceEqual returns 1 if x == y.

func SliceIsZero 

func SliceIsZero[S ~[]E, E constraints.Integer](s S) Choice

SliceIsZero returns 1 if all values of s are equal to 0 and returns 0 otherwise. Based on the subtle package.

func (Choice) Not 

func (c Choice) Not() Choice

Not returns the negation of the Choice.

type Comparable 

type Comparable[E any] interface {
	// Compare compares the receiver with rhs and returns gt, eq, lt as Bool values.
	Compare(rhs E) (gt, eq, lt Bool)
}

Comparable represents types that can be compared in constant time.

type ConditionallyAssignable 

type ConditionallyAssignable[E any] interface {
	// CondAssign conditionally assigns rhs to the receiver based on the Choice value.
	CondAssign(Choice, E)
}

ConditionallyAssignable represents types that can be conditionally assigned in constant time.

type ConditionallyNegatable 

type ConditionallyNegatable[E any] interface {
	// CondNeg conditionally negates the receiver based on the Choice value.
	CondNeg(Choice)
}

ConditionallyNegatable represents types that can be conditionally negated in constant time.

type ConditionallySelectable 

type ConditionallySelectable[E any] interface {
	// Select selects between x0 and x1 based on the Choice value.
	Select(choice Choice, x0, x1 E)
}

ConditionallySelectable represents types that can be conditionally selected in constant time.

type Equatable 

type Equatable[E any] interface {
	// Equal checks if the receiver is equal to rhs and returns the result as a Bool value.
	Equal(rhs E) Bool
}

Equatable represents types that can be checked for equality in constant time.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.