From b71f51d25eb8cd1ab1d7756d690802f10729d1b1 Mon Sep 17 00:00:00 2001 From: Henry de Valence Date: Mon, 16 Jul 2018 14:30:14 -0700 Subject: [PATCH] Clarify wording on the nightly feature and CT Closes #147 --- README.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 050c97623..f241f816f 100644 --- a/README.md +++ b/README.md @@ -102,13 +102,19 @@ group. All operations are implemented using constant-time logic (no secret-dependent branches, no secret-dependent memory accesses), unless specifically marked as being variable-time code. -When using the `nightly` feature, we also insert an optimization -barrier before every conditional move or assignment. +We believe that our constant-time logic is lowered to constant-time +assembly, at least on `x86_64` targets. + +As an additional guard against possible future compiler optimizations, the +`nightly` feature places an optimization barrier before every +conditional move or assignment. More details can be found in [the +documentation for the `subtle` crate][subtle_doc]. This is +recommended, but not required. Some functionality (e.g., multiscalar multiplication or batch -inversion) requires heap allocation for temporary buffers. **All +inversion) requires heap allocation for temporary buffers. All heap-allocated buffers of potentially secret data are explicitly -zeroed before release**. +zeroed before release. However, we do not attempt to zero stack data, for two reasons. First, it's not possible to do so correctly: we don't have control @@ -186,3 +192,4 @@ contributions. [docs-internal]: https://doc-internal.dalek.rs/curve25519_dalek/ [criterion]: https://github.com/japaric/criterion.rs [parallel_doc]: https://doc-internal.dalek.rs/curve25519_dalek/backend/avx2/index.html +[subtle_doc]: https://doc.dalek.rs/subtle/