1CRYPTO_VERIFY16(3MONOCYPHER) LOCAL CRYPTO_VERIFY16(3MONOCYPHER)
2
4 crypto_verify16, crypto_verify32, crypto_verify64 — timing-safe data com‐
5 parison
6
8 #include <monocypher.h>
9 int
11 crypto_verify16(const uint8_t a[16], const uint8_t b[16]);
12 int
14 crypto_verify32(const uint8_t a[32], const uint8_t b[32]);
15 int
17 crypto_verify64(const uint8_t a[64], const uint8_t b[64]);
18
20 Cryptographic operations often require comparison of secrets or values
21 derived from secrets. Standard comparison functions like memcmp() tend
22 to exit when they find the first difference, leaking information through
23 timing differences.
24 As an example, say a message authentication code (MAC) is sent over the
26 network along with a message, but the correct MAC is secret. If the at‐
27 tacker attempts a forgery, one does not want to reveal “your MAC is
28 wrong, and it took 384 microseconds to tell”. If the next attempt takes
29 462 microseconds instead, it tells the attacker they just guessed a byte
30 correctly. That way, an attacker can derive the correct MAC byte by
31 byte, and successfully forge a message. This has lead to practical at‐
32 tacks in the past.
33 To avoid such catastrophic failure, crypto_verify16(), crypto_verify32()
35 and crypto_verify64() provide comparison functions whose timing is inde‐
36 pendent from the content of their input. They compare the first 16, 32,
37 or 64 bytes of the two byte arrays a and b.
38 When in doubt, prefer these functions over memcmp().
40
42 These functions return 0 if the two memory chunks are the same, -1 other‐
43 wise.
44
46 intro(3monocypher)
47
49 The crypto_verify16(), crypto_verify32(), crypto_verify64() functions
50 first appeared in Monocypher 1.1.0. They replaced the crypto_memcmp()
51 and crypto_zerocmp() functions that were present until Monocypher 1.0.1.
52BSD March 31, 2020 BSD