Cryptology ePrint Archive: Report 2016/1123

Dude, is my code constant time?

Oscar Reparaz and Josep Balasch and Ingrid Verbauwhede

Abstract: This paper introduces dudect: a tool to assess whether a piece of code runs in constant time or not on a given platform. We base our approach on leakage detection techniques, resulting in a very compact, easy to use and easy to maintain tool. Our methodology fits in around 300 lines of C and runs on the target platform. The approach is substantially different from previous solutions. Contrary to others, our solution requires no modeling of hardware behavior. Our solution can be used in black-box testing, yet benefits from implementation details if available. We show the effectiveness of our approach by detecting several variable-time cryptographic implementations. We place a prototype implementation of dudect in the public domain.

Category / Keywords: implementation / constant-time software, timing attack, leakage detection, SPA, side-channel analysis

Original Publication (with minor differences): DATE 2017

Date: received 30 Nov 2016

Contact author: oscar reparaz at esat kuleuven be

Available format(s): PDF | BibTeX Citation

Version: 20161201:045928 (All versions of this report)

Short URL: ia.cr/2016/1123

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]