Hi Jeff, 2017-03-31 8:05 GMT+02:00 Jeffrey Walton <noloader@xxxxxxxxx>: >>> Also note that '(b & ((u64)1 << 63)) ? 0x87 : 0x00;' is actually getting >>> compiled as '((s64)b >> 63) & 0x87', which is branchless and therefore makes the >>> new version more efficient than one might expect: >>> >>> sar $0x3f,%rax >>> and $0x87,%eax >>> >>> It could even be written the branchless way explicitly, but it shouldn't matter. >> >> I think the definition using unsigned operations is more intuitive... >> Let's just leave the clever tricks up to the compiler :) > > It may be a good idea to use the one that provides constant time-ness > to help avoid leaking information. That's a good point... I played around with various ways to write the expression in Compiler Explorer [1] and indeed GCC fails to produce constant-time code from my version on some architectures (e.g. the 32-bit ARM). The version with an explicit arithmetic right shift seems to produce the most efficient code across platforms, so I'll rewrite it like that for v3. Thanks, O.M. [1] https://gcc.godbolt.org/
