rscrypto v0.4.0: Verifying Constant-Time Behavior Instead of Assuming It

Every cryptography library says it's secure and performant.

Very few can explain how that security is validated and how that performance is proven after every change.

One of the easiest mistakes in cryptographic engineering is assuming code is constant-time because it looks constant-time. The source looks branchless. The review looks clean. The helper uses the right equality function. Then an optimization, a target specific lowering decision, an tiny refactor, or a new fast path changes the binary that actually runs. The maxim 'Don't roll your own crypto' exists for this reason, among many more.

That matters a great deal because perf work and side-channel resistance are not separate worlds. If you want a crypto crate to compete w/ native libs, you end up very close to the compiler, close to the CPU, and on top of target-specific behavior. That is exactly where "looks constant-time" stops being enough, and where early Reddit/HN feedback pushed me to make the evidence story explicit.

In rscrypto v0.4.0, I focused on turning constant-time behavior into release evidence instead of a style assertion or general promise... as well as adding the Wycheproofs for as many primitives as possible.