# Constant Time Comparison Functions in... Python, Haskell, Clojure, and Java

Here is a list of constant time comparison functions to protect yourself against side-channel timing attacks.

## Clojure

```
; Taken from https://github.com/weavejester/crypto-equality/blob/master/src/crypto/equality.clj
(ns crypto.equality
"Securely test sequences of data for equality.")
(defn eq?
"Test whether two sequences of characters or bytes are equal in a way that
protects against timing attacks. Note that this does not prevent an attacker
from discovering the *length* of the data being compared."
[a b]
(let [a (map int a), b (map int b)]
(if (and a b (= (count a) (count b)))
(zero? (reduce bit-or (map bit-xor a b)))
false)))
```

## Python 2.x

```
#Taken from Django Source Code
def constant_time_compare(val1, val2):
"""
Returns True if the two strings are equal, False otherwise.
The time taken is independent of the number of characters that match.
For the sake of simplicity, this function executes in constant time only
when the two strings have the same length. It short-circuits when they
have different lengths.
"""
if len(val1) != len(val2):
return False
result = 0
for x, y in zip(val1, val2):
result |= ord(x) ^ ord(y)
return result == 0
```

## Python 3.x

```
#This is included within the stdlib in Py3k for an C alternative for Python 2.7.x see https://github.com/levigross/constant_time_compare/
from operator import _compare_digest as constant_time_compare
# Or you can use this function taken from Django Source Code
def constant_time_compare(val1, val2):
"""
Returns True if the two strings are equal, False otherwise.
The time taken is independent of the number of characters that match.
For the sake of simplicity, this function executes in constant time only
when the two strings have the same length. It short-circuits when they
have different lengths.
"""
if len(val1) != len(val2):
return False
result = 0
for x, y in zip(val1, val2):
result |= x ^ y
return result == 0
```

## Haskell

```
import Data.Bits
import Data.Char
import Data.List
import Data.Function
-- Thank you Yan for this snippet
constantTimeCompare a b =
((==) `on` length) a b && 0 == (foldl1 (.|.) joined)
where
joined = zipWith (xor `on` ord) a b
```

## Java

```
// Taken from http://codahale.com/a-lesson-in-timing-attacks/
public static boolean isEqual(byte[] a, byte[] b) {
if (a.length != b.length) {
return false;
}
int result = 0;
for (int i = 0; i < a.length; i++) {
result |= a[i] ^ b[i]
}
return result == 0;
}
```

## Ruby

```
def secure_compare(a, b)
return false if a.empty? || b.empty? || a.bytesize != b.bytesize
l = a.unpack "C#{a.bytesize}"
res = 0
b.each_byte { |byte| res |= byte ^ l.shift }
res == 0
end
```

I have added all of these to a Github Gist to make it easier to clone.