[WIP] ctutils: automatically use optimized 1-byte CtEq

tarcieri · tarcieri · commit 62bb32884831 · 2026-01-16T19:22:34.000-07:00
As an alternative to the `BytesCtEq` approach to using the optimized
impl of `CmovEq` for `[u8]`, this implementation automatically uses it
for all 1-byte types when the `CtEq` impl for `[T]` is invoked
(or anything that calls it, like the impls on `[T; N]`, `Box&lt;[T]&gt;`, and
`Vec&lt;T&gt;`.

To ensure we're not casting from a slice of a type containing
uninitialized memory to `[u8]`, this bounds all such `CtEq` impls on a
newly introduced `unsafe trait NoUninit`, which is currently not exposed
in the public API except through the bounds. The trait has been impl'd
for all of the types we impl other traits for in this crate.
diff --git a/ctutils/src/byteutils.rs b/ctutils/src/byteutils.rs
@@ -0,0 +1,76 @@
+//! Utilities for leveraging the optimized implementations of `Cmov`/`CmovEq` for types whose size
+//! is 1-byte.
+
+use crate::{Choice, traits::no_uninit::NoUninit};
+use cmov::CmovEq;
+use core::slice;
+
+/// Perform constant-time equality comparison on slices of 1-byte sized types using the optimized
+/// implementation of `CmovEq` for byte slices.
+pub(crate) fn ct_eq<T: NoUninit>(a: &[T], b: &[T]) -> Choice {
+    assert_eq!(
+        size_of::<T>(),
+        1,
+        "this function is intended for 1-byte sized types"
+    );
+
+    // SAFETY:
+    // - We asserted above that `size_of::<T>() == size_of::<u8>() == 1`.
+    // - The `NoUninit` bound ensures the type does not contain uninitialized memory.
+    // - We don't need to worry about alignment because all types are 1-byte.
+    // - 1-byte is too small to contain a pointer/reference.
+    // - We source the slice length directly from the other valid slice.
+    #[allow(unsafe_code)]
+    let (a, b) = unsafe {
+        (
+            slice::from_raw_parts(a.as_ptr() as *const u8, a.len()),
+            slice::from_raw_parts(b.as_ptr() as *const u8, b.len()),
+        )
+    };
+
+    let mut ret = Choice::FALSE;
+    a.cmoveq(b, 1, &mut ret.0);
+    ret
+}
+
+#[cfg(test)]
+mod tests {
+    use core::num::{NonZeroI8, NonZeroU8};
+
+    macro_rules! ct_eq_test {
+        ($name:ident, $a:expr, $b:expr) => {
+            #[test]
+            fn $name() {
+                let x = $a;
+                let y = $b;
+
+                let a = [x, x, x];
+                let b = [x, x, y];
+                let c = [x, y, y];
+                let d = [y, y, y];
+
+                assert!(super::ct_eq(&a, &a).to_bool());
+                assert!(super::ct_eq(&b, &b).to_bool());
+                assert!(super::ct_eq(&c, &c).to_bool());
+                assert!(super::ct_eq(&d, &d).to_bool());
+
+                for rhs in &[b, c, d] {
+                    assert!(!super::ct_eq(&a, rhs).to_bool());
+                }
+            }
+        };
+    }
+
+    ct_eq_test!(i8_ct_eq, 1i8, 2i8);
+    ct_eq_test!(u8_ct_eq, 1u8, 2u8);
+    ct_eq_test!(
+        non_zero_i8_ct_eq,
+        NonZeroI8::new(1i8).unwrap(),
+        NonZeroI8::new(2i8).unwrap()
+    );
+    ct_eq_test!(
+        non_zero_u8_ct_eq,
+        NonZeroU8::new(1u8).unwrap(),
+        NonZeroU8::new(2u8).unwrap()
+    );
+}
diff --git a/ctutils/src/lib.rs b/ctutils/src/lib.rs
@@ -92,6 +92,7 @@
 extern crate alloc;
 
 mod bytes;
+mod byteutils;
 mod choice;
 mod ct_option;
 mod traits;
diff --git a/ctutils/src/traits.rs b/ctutils/src/traits.rs
@@ -11,3 +11,4 @@ pub(crate) mod ct_lookup;
 pub(crate) mod ct_lt;
 pub(crate) mod ct_neg;
 pub(crate) mod ct_select;
+pub(crate) mod no_uninit;
diff --git a/ctutils/src/traits/ct_eq.rs b/ctutils/src/traits/ct_eq.rs
@@ -1,4 +1,4 @@
-use crate::Choice;
+use crate::{Choice, byteutils, traits::no_uninit::NoUninit};
 use cmov::CmovEq;
 use core::{
     cmp,
@@ -109,37 +109,43 @@ impl CtEq for cmp::Ordering {
     }
 }
 
-impl<T: CtEq> CtEq for [T] {
+impl<T> CtEq for [T]
+where
+    T: CtEq + NoUninit,
+{
     #[inline]
     fn ct_eq(&self, other: &[T]) -> Choice {
-        const {
-            assert!(
-                size_of::<T>() != 1,
-                "use `BytesCtEq::bytes_ct_eq` when working with byte-sized values"
-            );
+        /// Iterate over every element in `a_slice` and `b_slice` comparing elements.
+        fn ct_eq_inner<T: CtEq>(a_slice: &[T], b_slice: &[T]) -> Choice {
+            let mut ret = a_slice.len().ct_eq(&b_slice.len());
+            for (a, b) in a_slice.iter().zip(b_slice.iter()) {
+                ret &= a.ct_eq(b);
+            }
+            ret
         }
 
-        let mut ret = self.len().ct_eq(&other.len());
-        for (a, b) in self.iter().zip(other.iter()) {
-            ret &= a.ct_eq(b);
-        }
-        ret
-    }
+        if const { size_of::<T>() == 1 } {
+            let ret = byteutils::ct_eq(self, other);
 
-    #[inline]
-    fn ct_ne(&self, other: &[T]) -> Choice {
-        const {
-            assert!(
-                size_of::<T>() != 1,
-                "use `BytesCtEq::bytes_ct_ne` when working with byte-sized values"
+            // Double-check the result we get from `byteutils::ct_eq` is the same one we would've
+            // gotten had we invoked `CtEq` on each element (i.e. the slow path)
+            debug_assert_eq!(
+                ret.to_bool(),
+                ct_eq_inner(self, other).to_bool(),
+                "mismatch between fast and slow ct_eq implementations"
             );
-        }
 
-        !self.ct_eq(other)
+            ret
+        } else {
+            ct_eq_inner(self, other)
+        }
     }
 }
 
-impl<T: CtEq, const N: usize> CtEq for [T; N] {
+impl<T, const N: usize> CtEq for [T; N]
+where
+    T: CtEq + NoUninit,
+{
     #[inline]
     fn ct_eq(&self, other: &[T; N]) -> Choice {
         self.as_slice().ct_eq(other.as_slice())
@@ -161,7 +167,7 @@ where
 #[cfg(feature = "alloc")]
 impl<T> CtEq for Box<[T]>
 where
-    T: CtEq,
+    T: CtEq + NoUninit,
 {
     #[inline]
     #[track_caller]
@@ -173,7 +179,7 @@ where
 #[cfg(feature = "alloc")]
 impl<T> CtEq<[T]> for Box<[T]>
 where
-    T: CtEq,
+    T: CtEq + NoUninit,
 {
     #[inline]
     #[track_caller]
@@ -185,7 +191,7 @@ where
 #[cfg(feature = "alloc")]
 impl<T> CtEq for Vec<T>
 where
-    T: CtEq,
+    T: CtEq + NoUninit,
 {
     #[inline]
     #[track_caller]
@@ -197,7 +203,7 @@ where
 #[cfg(feature = "alloc")]
 impl<T> CtEq<[T]> for Vec<T>
 where
-    T: CtEq,
+    T: CtEq + NoUninit,
 {
     #[inline]
     #[track_caller]
diff --git a/ctutils/src/traits/no_uninit.rs b/ctutils/src/traits/no_uninit.rs
@@ -0,0 +1,61 @@
+#![allow(unsafe_code)]
+
+use crate::{Choice, CtOption};
+use core::{
+    cmp,
+    num::{
+        NonZeroI8, NonZeroI16, NonZeroI32, NonZeroI64, NonZeroI128, NonZeroU8, NonZeroU16,
+        NonZeroU32, NonZeroU64, NonZeroU128,
+    },
+};
+
+#[cfg(feature = "alloc")]
+use alloc::{boxed::Box, vec::Vec};
+
+/// Marker trait for types which do not contain uninitialized memory.
+pub unsafe trait NoUninit {}
+
+// Impl `NoUninit` for the given type
+macro_rules! impl_no_uninit {
+    ( $($ty:ty),+ ) => {
+        $(
+            unsafe impl NoUninit for $ty {}
+        )+
+    };
+}
+
+impl_no_uninit!(
+    i8,
+    i16,
+    i32,
+    i64,
+    i128,
+    isize,
+    u8,
+    u16,
+    u32,
+    u64,
+    u128,
+    usize,
+    NonZeroI8,
+    NonZeroI16,
+    NonZeroI32,
+    NonZeroI64,
+    NonZeroI128,
+    NonZeroU8,
+    NonZeroU16,
+    NonZeroU32,
+    NonZeroU64,
+    NonZeroU128
+);
+
+unsafe impl NoUninit for Choice {}
+unsafe impl NoUninit for cmp::Ordering {}
+unsafe impl<T: NoUninit> NoUninit for CtOption<T> {}
+unsafe impl<T: NoUninit> NoUninit for [T] {}
+unsafe impl<T: NoUninit, const N: usize> NoUninit for [T; N] {}
+
+#[cfg(feature = "alloc")]
+unsafe impl<T: NoUninit> NoUninit for Box<T> {}
+#[cfg(feature = "alloc")]
+unsafe impl<T: NoUninit> NoUninit for Vec<T> {}
