1

RC6 wiki uses variable left rotation value that depends on logarithmic value. Iam interested in finding a way to implement constant time c code of RC6. Is there open-source or an idea of how to implement the variable left rotation in constant-time code.

hardyrama
  • 125
  • 6
  • 1
    Please read [the help pages](http://stackoverflow.com/help), especially ["What topics can I ask about here?"](http://stackoverflow.com/help/on-topic) and ["What types of questions should I avoid asking?"](http://stackoverflow.com/help/dont-ask). Also [take the tour](http://stackoverflow.com/tour) and [read about how to ask good questions](http://stackoverflow.com/help/how-to-ask) and [this question checklist](https://codeblog.jonskeet.uk/2012/11/24/stack-overflow-question-checklist/). Lastly learn how to create a [mcve]. – Some programmer dude Jan 14 '19 at 09:32
  • 1
    The rotation itself is in constant time on almost all modern cpus (barrel-shifter). However, the calculation _by how many bits_ should be shifted is another thing. Afaics, `lg w` is a constant, so this is not a problem, too. So the rotation `x <<< lg w` should be performed in constant time. – Ctx Jan 14 '19 at 09:33
  • Thinking again, even without a barrel shifter, the rotation is always performed in constant time if the amount of bits by which the value should be rotated is constant. – Ctx Jan 14 '19 at 09:35
  • what about the part A and C? as they depend on the u and t in the following code: t = (B*(2B + 1)) <<< lg w u = (D*(2D + 1)) <<< lg w A = ((A ⊕ t) <<< u) + S[2i] C = ((C ⊕ u) <<< t) + S[2i + 1] – hardyrama Jan 14 '19 at 09:44
  • 1
    @hardyrama Again, the rotation operation itself is performed in constant time. The calculation of the operands might be not. – Ctx Jan 14 '19 at 09:50

1 Answers1

2

This point is addressed in section 4.1 of https://pdfs.semanticscholar.org/bf3e/23be81385817319524ee6bb1d62e9054d153.pdf . The short summary is:

  • Most processors take constant time for rotations including data dependent rotations (that was the case when rc6 was proposed anyway)

  • Even if the run time to shift k bits is proportional to k cycles, then to do a circular left rotation you need to shift left k-bits followed by shift right 32-k bits, so that results in a constant time of 32 cycles.

I don't know fine details of modern architectures, but I suppose I would turn the question around and ask for an example where that logic is not true.

TheGreatContini
  • 6,429
  • 2
  • 27
  • 37