Boring crypto that simply works

timing-safe data comparison

#include <monocypher.h>

crypto_verify16(const uint8_t a[16], const uint8_t b[16]);

crypto_verify32(const uint8_t a[32], const uint8_t b[32]);

crypto_verify64(const uint8_t a[64], const uint8_t b[64]);

Cryptographic operations often require comparison of secrets or values derived from secrets. Standard comparison functions like memcmp(3) tend to exit when they find the first difference, leaking information through timing differences.

As an example, say a message authentication code (MAC) is sent over the network along with a message, but the correct MAC is secret. If the attacker attempts a forgery, one does not want to reveal “your MAC is wrong, ”. If the next attempt takes 462 microseconds instead, it tells the attacker that they just guessed a byte correctly. That way, an attacker can derive the correct MAC byte by byte and successfully forge a message. This has led to practical attacks in the past.

To avoid such catastrophic failure, (), (), and () provide comparison functions whose timing is independent from the content of their input. They compare the first 16, 32, or 64 bytes of the two byte arrays a and b.

When in doubt, prefer these functions over memcmp(3).

These functions return 0 if the two memory chunks are the same and -1 otherwise.


The crypto_verify16(), crypto_verify32(), crypto_verify64(), functions first appeared in Monocypher 1.1.0. They replaced the crypto_memcmp() and crypto_zerocmp() functions that were present until Monocypher 1.0.1.

Monocypher does not perform any input validation. Any deviation from the specified input and output length ranges results in . Make sure your inputs are correct.

March 31, 2020 Debian