There is already a recently-formed group of maintainers for sodiumoxide
, since the original contributor doesn’t have time to maintain the crate, which consists largely of rusty (i.e., oxidized) bindings to the C NaCl (i.e., sodium chloride, salt) library.
Re constant-time operations, which is an approach to eliminate one class of straightforward side-channel timing attacks, MIR would need a way to annotate a region of its output to suppress certain classes of optimization by LLVM and other compiler backends. I don’t think it’s likely that LLVM and other backends, which are driven primarily by the needs of C and C++, will evolve support for such a feature. Even if they do, the resulting code is still exposed to all the other classes of side-channel timing attacks.
The Rust subtle
crate uses Nightly and assembly to nominally “touch” a register, with the intent of suppressing LLVM optimizations across that point in the code. As @hdevalence mentioned, there’s no guarantee that this approach will continue to work with LLVM, or work at all with other potential backends.
As of today, the best way to reduce timing side-channel attacks is to write the susceptible code in assembly. Unfortunately, that’s an architecture-specific Nightly feature, and is likely to remain so. It also does little to mitigate the ever-growing class of attacks (e.g., Spectre, Meltdown, …) against the speculative execution hardware in many modern processors, and can’t do anything about instructions with data-dependent variable timing, such as scalar integer multiply on PowerPC and ARM processors.
The long-term answer is to develop high-throughput processors without such susceptibility, as well as cryptographic algorithms in which any potentially timing-dependent operations offer little assistance to cryptanalysis. Progress is being made on both those fronts.
In the shorter term it would be worth developing a way to convert a conditional into a uN bit mask (all zeros or all ones) in constant time, first in MIR and then propagated through LLVM and other backends. That would be enough to permit constant-time pseudo-Boolean bit operations (e.g., and
, or
, xor
, not
), as well as conditional-select, conditional-negate, conditional-swap, conditional-assign and perhaps other basic conditional operations. The subtle
crate offers a starting point.