Let's DOIT: Using Intel's extended HW/SW contract for secure
compilation  of crypto code

D 2025

Let's DOIT: Using Intel's extended HW/SW contract for secure compilation of crypto code

ARRANS OLMOS, Santiago; Gilles BARTHE; Benjamin GRÉGOIRE; Ján JANČÁR; Vincent LAPORTE et. al.

Základní údaje

Originální název

Let's DOIT: Using Intel's extended HW/SW contract for secure compilation of crypto code

Autoři

ARRANS OLMOS, Santiago; Gilles BARTHE; Benjamin GRÉGOIRE; Ján JANČÁR ; Vincent LAPORTE; Tiago OLIVEIRA a Peter SCHWABE

Vydání

3. vyd. Německo, IACR Transactions on Cryptographic Hardware and Embedded Systems, od s. 644-667, 24 s. 2025

Nakladatel

Ruhr-University of Bochum

Další údaje

Jazyk

angličtina

Typ výsledku

Stať ve sborníku

Obor

10201 Computer sciences, information science, bioinformatics

Stát vydavatele

Německo

Utajení

není předmětem státního či obchodního tajemství

Forma vydání

elektronická verze "online"

Odkazy

URL

Organizační jednotka

Fakulta informatiky

ISSN

DOI

https://doi.org/10.46586/tches.v2025.i3.644-667

EID Scopus

2-s2.0-105008218675

Klíčová slova anglicky

data-operand-independent timing; Jasmin; high-assurance; constant-time code

Štítky

core_A, firank_A

Příznaky

Mezinárodní význam, Recenzováno

Změněno: 29. 9. 2025 11:10, RNDr. Ján Jančár

Anotace

V originále

It is a widely accepted standard practice to implement cryptographic software in such a way that secret inputs do not influence the cycle count. Software following this paradigm is often referred to as "constant-time" software and typically involves following three rules: 1) never branch on a secret-dependent condition, 2) never access memory at a secret-dependent location, and 3) avoid variable-time arithmetic operations on secret data. The third rule requires knowledge about what those variable-time arithmetic instructions are, or, vice-versa, which operations are safe to use on secret inputs. For a long time, this knowledge was based on either documentation or microbenchmarks, but critically, there were never any guarantees for future microarchitectures. This changed with the introduction of the data-operand-independent-timing (DOIT) mode on Intel CPUs and, to some extent, the data-independent-timing (DIT) mode on Arm CPUs. Both Intel and Arm document a subset of their respective instruction sets that is intended to not leak information about their inputs through timing, also on future microarchitectures, if the CPU is switched to run in a dedicated DOIT (or DIT) mode. In this paper we present a principled solution that leverages DOIT to enable cryptographic software that is future-proof constant-time, in the sense that it ensures that only instructions from the DOIT subset are used to operate on secret data, even during speculative execution after a mispredicted branch or function-return location. For this solution, we build on top of existing security type systems in the Jasmin framework for high-assurance cryptography. We then use our solution to evaluate to what extent existing cryptographic software that was build to be "constant-time" is already secure also in this stricter paradigm implied by DOIT and what the performance impact is to move from constant-time to future-proof constant-time.

Návaznosti

101087529, interní kód MU

Název: Cyber-security Excellence Hub in Estonia and South Moravia (CHESS)

Investor: Evropská unie, Cyber-security Excellence Hub in Estonia and South Moravia (CHESS), Rozšiřování účasti a posílení ERA

Citovat

ARRANS OLMOS, Santiago; Gilles BARTHE; Benjamin GRÉGOIRE; Ján JANČÁR; Vincent LAPORTE; Tiago OLIVEIRA a Peter SCHWABE. Let's DOIT: Using Intel's extended HW/SW contract for secure compilation of crypto code. Online. In IACR Transactions on Cryptographic Hardware and Embedded Systems. 3. vyd. Německo: Ruhr-University of Bochum, 2025, s. 644-667. ISSN 2569-2925. Dostupné z: https://doi.org/10.46586/tches.v2025.i3.644-667.

@inproceedings{2489637,
   author = {Arrans Olmos, Santiago and Barthe, Gilles and Grégoire, Benjamin and Jančár, Ján and Laporte, Vincent and Oliveira, Tiago and Schwabe, Peter},
   address = {Německo},
   booktitle = {IACR Transactions on Cryptographic Hardware and Embedded Systems},
   doi = {https://doi.org/10.46586/tches.v2025.i3.644-667},
   edition = {3},
   keywords = {data-operand-independent timing; Jasmin; high-assurance; constant-time code},
   howpublished = {elektronická verze "online"},
   language = {eng},
   location = {Německo},
   pages = {644-667},
   publisher = {Ruhr-University of Bochum},
   title = {Let's DOIT: Using Intel's extended HW/SW contract for secure compilation of crypto code},
   url = {https://tches.iacr.org/index.php/TCHES/article/view/12229},
   year = {2025}
}

TY  - CONF
ID  - 2489637
AU  - Arrans Olmos, Santiago - Barthe, Gilles - Grégoire, Benjamin - Jančár, Ján - Laporte, Vincent - Oliveira, Tiago - Schwabe, Peter
PY  - 2025
TI  - Let's DOIT: Using Intel's extended HW/SW contract for secure compilation of crypto code
PB  - Ruhr-University of Bochum
CY  - Německo
KW  - data-operand-independent timing
KW  - Jasmin
KW  - high-assurance
KW  - constant-time code
UR  - https://tches.iacr.org/index.php/TCHES/article/view/12229
N2  - It is a widely accepted standard practice to implement cryptographic software in such a way that secret inputs do not influence the cycle count. Software following this paradigm is often referred to as "constant-time" software and typically involves following three rules: 1) never branch on a secret-dependent condition, 2) never access memory at a secret-dependent location, and 3) avoid variable-time arithmetic operations on secret data. The third rule requires knowledge about what those variable-time arithmetic instructions are, or, vice-versa, which operations are safe to use on secret inputs. For a long time, this knowledge was based on either documentation or microbenchmarks, but critically, there were never any guarantees for future microarchitectures. This changed with the introduction of the data-operand-independent-timing (DOIT) mode on Intel CPUs and, to some extent, the data-independent-timing (DIT) mode on Arm CPUs. Both Intel and Arm document a subset of their respective instruction sets that is intended to not leak information about their inputs through timing, also on future microarchitectures, if the CPU is switched to run in a dedicated DOIT (or DIT) mode. In this paper we present a principled solution that leverages DOIT to enable cryptographic software that is future-proof constant-time, in the sense that it ensures that only instructions from the DOIT subset are used to operate on secret data, even during speculative execution after a mispredicted branch or function-return location. For this solution, we build on top of existing security type systems in the Jasmin framework for high-assurance cryptography. We then use our solution to evaluate to what extent existing cryptographic software that was build to be "constant-time" is already secure also in this stricter paradigm implied by DOIT and what the performance impact is to move from constant-time to future-proof constant-time.
ER  -

ARRANS OLMOS, Santiago; Gilles BARTHE; Benjamin GRÉGOIRE; Ján JANČÁR; Vincent LAPORTE; Tiago OLIVEIRA a Peter SCHWABE. Let's DOIT: Using Intel's extended HW/SW contract for secure compilation of crypto code. Online. In \textit{IACR Transactions on Cryptographic Hardware and Embedded Systems}. 3. vyd. Německo: Ruhr-University of Bochum, 2025, s.~644-667. ISSN~2569-2925. Dostupné z: https://doi.org/10.46586/tches.v2025.i3.644-667.

Přehled o publikaci