Bug#765893: streql - Constant-time string comparison

To: Leslie S Satenstein <lsatenstein@yahoo.com>
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>, 765893@bugs.debian.org
Subject: Bug#765893: streql - Constant-time string comparison
From: Riley Baird <BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch>
Date: Fri, 31 Oct 2014 09:43:20 +1100
Message-id: <[🔎] 5452BF08.6090804@bitmessage.ch>
Reply-to: Riley Baird <BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch>, 765893@bugs.debian.org
In-reply-to: <1372031245.283841.1414640658191.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com>
References: <[🔎] 54514B28.70107@bitmessage.ch> <1372031245.283841.1414640658191.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com>

If your only concern is if the strings are equal, or which is the
shortest, then I agree that constant-time evaluation would not be
important to you. For that reason, you probably wouldn't need streql;
you could just use the built-in functions.

On 30/10/14 14:44, Leslie S Satenstein wrote:
> Here is a question for you
> Why is it necessary to test the string match for the entire length if the strings disagree with the first byte?
> When one uses a string compare, we want to know if the strings are equal, or which of the two is the lower collating one.   
> That would be done, for example in a logic design where one has multiple strings, and one wants to choose the lowest collating string or at least the string that is equal. 
> 
> Consider merging two files sorted in string order and now you wish to perform a merge.
> Suppose the files are in the order of 200,000 records each. Or, if in banking, or government applications, in the order of 20 million records per file. 
> 
>  Regards 
>  Leslie
>  Mr. Leslie Satenstein
> Montréal Québec, Canada
> 
> 
>  
>       From: Riley Baird <BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch>
>  To: Leslie S Satenstein <lsatenstein@yahoo.com> 
> Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>; 765893@bugs.debian.org 
>  Sent: Wednesday, October 29, 2014 4:16 PM
>  Subject: Re: streql - Constant-time string comparison
>    
> On 30/10/14 01:34, Leslie S Satenstein wrote:
>> Hi Riley
>>
>> Suppose the strings are 10k bytes each (10240), but they differ at byte zero, 
>> where is the break instruction to stop the compare?
> 
> Why would there need to be a break instruction? That would mean that the
> time taken to compare strings of equal length would change depending on
> the length of the string, unless I'm mistaken.
> 
>> The code needs an addition to the for loop as shown below. 
>> In place of xor, the return of a comparison when non zero is encountered would allow one to know if string x < string y or the contrary.
> 
> Sorry, but I don't understand what you mean. Why is it important to be
> able to know whether string x > string y or vice versa?
> 
> 
> 
>>   Regards 
>>   Leslie
>>   Mr. Leslie Satenstein
>> Montréal Québec, Canada
> 
> 
> 
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 54514B28.70107@bitmessage.ch">https://lists.debian.org/[🔎] 54514B28.70107@bitmessage.ch
> 
> 
>    
>

Reply to:

References:
- Bug#765893: streql - Constant-time string comparison
  - From: Riley Baird <BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch>

Prev by Date: Bug#763029: marked as done (RFS: cligh/0.2-1 [ITP] -- console Github manipulation tool)
Next by Date: Bug#750136: marked as done (RFS: freemind/1.0.1-1 [ITA])
Previous by thread: Bug#765893: streql - Constant-time string comparison
Next by thread: Bug#765893: streql - Constant-time string comparison
Index(es):
- Date
- Thread