====== PHP RFC: Timing Safe Encoding Functions ======
  * Version: 0.1
  * Date: 2015-03-13
  * Author: Scott Arciszewski, scott@arciszewski.me
  * Status: Under Diiscussion
  * First Published at: http://wiki.php.net/rfc/timing_safe_encoding

===== Introduction =====

Cryptography libraries written in PHP often store encryption keys in an alternate encoding (Base-16 or Base-64, as specified in RFC 4648). However, the way these functions are trivially implemented open the door to possible cache-timing attacks which could be used to steal encryption keys, even if the encryption is well-implemented.

===== Proposal =====
A number of functions that already exist will have a timing-safe alternative exposed to PHP developers.

  * bin2hex()  -> bin2hex_ts()
  * hex2bin() -> hex2bin_ts()
  * base64_encode() -> base64_encode_ts()
  * base64_decode() -> base64_decode_ts()

===== Backward Incompatible Changes =====
None! :)

===== Proposed PHP Version(s) =====

This proposal targets the 7.0 release of PHP. Or 7.1 if it's too late.

===== Proposed Voting Choices =====

As this is not a significant change, a 50%+1 majority vote ought to be sufficient. 

===== Patches and Tests =====

An incomplete patch is being developed in [[https://github.com/php/php-src/pull/1036|Pull Request 1036]].

===== References =====

  * [[http://blog.ircmaxell.com/2014/11/its-all-about-time.html|It's All About Time]] by Anthony Ferrara