Marc Stevens

This version of the collision detection library checks if any unavoidable attack conditions are not satisfied to opportunistically skip work. Because of this it can not execute in constant time....

Constant time is a requirement for some uses, ensuring no information on sensitive hashed data is leaked via timing discrepancies, particularly during the execution of a network protocol. The cost...

For constant-time we should be able to activate the SIMD stuff to get a nice factor back.

I've made the constant-time changes to the comparisons. I'll leave this issue open now for documentation.

This is already a run-time option, see README. Since constant time hasn't been really tested, we make no such claims. But I don't see any obvious reason why disabling UBC...

No problem, it wasn't very clear. Also I see I should rephrase the README comment to make clear that disabling UBCs will slow it down significantly.

Does branch 'force_aligned' solve your issues? https://github.com/cr-marcstevens/sha1collisiondetection/tree/force_aligned You will need to add `-DSHA1DC_FORCE_ALIGNED_ACCESS` to your compiler options.

@shumow I have received emails from TravisCI that both commits in the branch have passed, so TravisCI is still working. But indeed, I also don't see those same confirmations visibly...

Thanks for the note, the tools are in another repository: https://github.com/cr-marcstevens/sha1collisiondetection-tools

A sparse version would just operate on non-reducable terms that have a non-zero coefficient somewhere. Currently we index all non-reducable monomials up to the e lcm of the critical pair...