Constant-time verification

[mratsim]

Taken from the wiki page: https://github.com/mratsim/constantine/wiki/Constant-time-arithmetics

• Dudect - Dude is my code constant-time
• Frama-C
• Usenix paper - Verifying constant-time implementation
• McBits: fast constant time crypto (Bernstein)
• FaCT, a constant-time programming language: https://github.com/PLSysSec/FaCT
• CANAL: A Cache Timing Analysis Framework via LLVM Transformation, Chungha Sung, Brandon Paulsen, Chao Wang, 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE 2018) https://github.com/canalcache/canal
• Verifying Constant-Time Implementations, Jose Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Francois Dupressoir, Michael Emmi, 25th USENIX Security Symposium (2016) https://github.com/imdea-software/verifying-constant-time
• Verifying Constant-Time Implementations by Abstract Interpretation Sandrine Blazy, David Pichardie, Alix Trieu, European Symposium on Research in Computer Security, Sep 2017, Oslo, Norway

[mratsim]

Valgrind can also be used for this purpose: https://www.imperialviolet.org/2010/04/01/ctgrind.html and it's the way Bitcoin's secp256k1 checks for constant-time: https://github.com/bitcoin-core/secp256k1/pull/723/files

[mratsim]

• https://eprint.iacr.org/2021/1650.pdf “They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks

[mratsim]

A new attack "Marvin attack" that can potentially retrieve secrets from the network even with just nanoseconds of timing differences.

CVE-2023-49092 Advisory: https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr Tooling to detect timing issues: https://github.com/RustCrypto/RSA/issues/19#issuecomment-1830065981