Paper 2016/1123

Dude, is my code constant time?

Oscar Reparaz, Josep Balasch, and Ingrid Verbauwhede

Abstract

This paper introduces dudect: a tool to assess whether a piece of code runs in constant time or not on a given platform. We base our approach on leakage detection techniques, resulting in a very compact, easy to use and easy to maintain tool. Our methodology fits in around 300 lines of C and runs on the target platform. The approach is substantially different from previous solutions. Contrary to others, our solution requires no modeling of hardware behavior. Our solution can be used in black-box testing, yet benefits from implementation details if available. We show the effectiveness of our approach by detecting several variable-time cryptographic implementations. We place a prototype implementation of dudect in the public domain.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision. DATE 2017
Keywords
constant-time softwaretiming attackleakage detectionSPAside-channel analysis
Contact author(s)
oscar reparaz @ esat kuleuven be
History
2016-12-01: received
Short URL
https://ia.cr/2016/1123
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/1123,
      author = {Oscar Reparaz and Josep Balasch and Ingrid Verbauwhede},
      title = {Dude, is my code constant time?},
      howpublished = {Cryptology ePrint Archive, Paper 2016/1123},
      year = {2016},
      note = {\url{https://eprint.iacr.org/2016/1123}},
      url = {https://eprint.iacr.org/2016/1123}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.