Cryptology ePrint Archive: Report 2016/1123
Dude, is my code constant time?
Oscar Reparaz and Josep Balasch and Ingrid Verbauwhede
Abstract: This paper introduces dudect: a tool to assess whether a piece of code runs in constant time or not on a given platform. We base our approach on leakage detection techniques, resulting in a very compact, easy to use and easy to maintain tool. Our methodology fits in around 300 lines of C and runs on the target platform. The approach is substantially different from previous solutions. Contrary to others, our solution requires no modeling of hardware behavior. Our solution can be used in black-box testing, yet benefits from implementation details if available. We show the effectiveness of our approach by detecting several variable-time cryptographic implementations. We place a prototype implementation of dudect in the public domain.
Category / Keywords: implementation / constant-time software, timing attack, leakage detection, SPA, side-channel analysis
Original Publication (with minor differences): DATE 2017
Date: received 30 Nov 2016
Contact author: oscar reparaz at esat kuleuven be
Available format(s): PDF | BibTeX Citation
Version: 20161201:045928 (All versions of this report)
Short URL: ia.cr/2016/1123
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]