Date: Tue, 9 Dec 2025 16:21:26 +0100
On 12/9/25 09:07, Shivam Kunwar via Std-Proposals wrote:
> The Problem :
>
> Cryptographic code needs to perform conditional selection without
> leaking timing information. The standard pattern looks like this
>
> // Intended to be constant-time
> uint64_t mask = -(uint64_t)(!!cond);
> result = (a & mask) | (b & ~mask);
Notice that SIMD works this way.
> template<class T>
> constexpr T select_explicit(bool test, T a, T b) noexcept;
It may be beneficial to explore the direction taken in the std::simd
proposal, which has an exposition-only conditional function because
the conditional operator cannot be overloaded:
https://eel.is/c%2B%2Bdraft/simd.nonmembers#simd.cond
There is also a proposal to make the conditional operator overloadable:
https://wg21.link/P0917
This does not, however, solve the problem of optimizers favouring
conditional instructions.
> The Problem :
>
> Cryptographic code needs to perform conditional selection without
> leaking timing information. The standard pattern looks like this
>
> // Intended to be constant-time
> uint64_t mask = -(uint64_t)(!!cond);
> result = (a & mask) | (b & ~mask);
Notice that SIMD works this way.
> template<class T>
> constexpr T select_explicit(bool test, T a, T b) noexcept;
It may be beneficial to explore the direction taken in the std::simd
proposal, which has an exposition-only conditional function because
the conditional operator cannot be overloaded:
https://eel.is/c%2B%2Bdraft/simd.nonmembers#simd.cond
There is also a proposal to make the conditional operator overloadable:
https://wg21.link/P0917
This does not, however, solve the problem of optimizers favouring
conditional instructions.
Received on 2025-12-09 15:21:34