Jeffrey,
> Forgive my ignorance... No'oping 0 leaks timing information
There are only few algorithms where leaking timing information is an
issue. For most of the code we deal with, the developer wants to get
optimal performance.
> I also don't think developers are going to write a rotate like:
>
> if (n != 0)
> x = rotr32(x, n);
Sure they will. Here's an example from lib/vasnprintf.c, where a shift
count of 0 is treated specially:
/* Copy a, shifting it left by s bits, yields r.
Memory layout:
At the beginning: r = roomptr[0..a_len],
at the end: r = roomptr[0..b_len-1], q = roomptr[b_len..a_len] */
r_ptr = roomptr;
if (s == 0)
{
memcpy (r_ptr, a_ptr, a_len * sizeof (mp_limb_t));
r_ptr[a_len] = 0;
}
else
{
const mp_limb_t *sourceptr = a_ptr;
mp_limb_t *destptr = r_ptr;
mp_twolimb_t accu = 0;
size_t count;
for (count = a_len; count > 0; count--)
{
accu += (mp_twolimb_t) *sourceptr++ << s;
*destptr++ = (mp_limb_t) accu;
accu = accu >> GMP_LIMB_BITS;
}
*destptr++ = (mp_limb_t) accu;
}
Bruno
