恒定时间测试指南：防范密码学时序攻击与侧信道泄漏

constant-time-testing by trailofbits/skills

1,100 周安装量

3,900 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/trailofbits/skills --skill constant-time-testing

开发测试安全

🇨🇳中文介绍

恒定时间测试

时序攻击利用执行时间的差异从密码学实现中提取秘密信息。与针对理论弱点的密码分析不同，时序攻击利用了实现缺陷——并且它们可以影响任何密码学代码。

背景

时序攻击由 Kocher 于 1996 年提出。此后，研究人员已证明了对 RSA (Schindler)、OpenSSL (Brumley and Boneh)、AES 实现甚至像 Kyber 这样的后量子算法的实际攻击。

关键概念

概念	描述
恒定时间	代码路径和内存访问独立于秘密数据
时序泄漏	与秘密相关的可观察执行时间差异
侧信道	从实现而非算法中提取的信息
微架构	CPU 级别的时序差异（缓存、除法、移位）

为何重要

时序漏洞可以：

暴露私钥 - 提取 RSA/ECDH 中的秘密指数
实现远程攻击 - 网络可观测的时序差异
绕过密码学安全性 - 破坏理论保证
静默持续存在 - 通常未经专门分析无法检测

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

常见的恒定时间违规模式

四种模式导致了大多数时序漏洞：

// 1. 条件跳转 - 最严重的时序差异
if(secret == 1) { ... }
while(secret > 0) { ... }

// 2. 数组访问 - 缓存时序攻击
lookup_table[secret];

// 3. 整数除法（处理器相关）
data = secret / m;

// 4. 移位操作（处理器相关）
data = a << secret;

条件跳转 导致不同的代码路径，从而产生巨大的时序差异。

依赖于秘密的数组访问使得缓存时序攻击成为可能，如 AES 缓存时序研究所示。

整数除法和移位操作 在某些 CPU 架构和编译器配置下会泄漏秘密。

当无法避免这些模式时，采用掩码技术来消除时序与秘密之间的相关性。

示例：模幂运算时序攻击

模幂运算（用于 RSA 和 Diffie-Hellman）容易受到时序攻击。RSA 解密计算：

其中 $d$ 是秘密指数。平方乘幂 优化将乘法次数减少到 $\log{d}$：

$$ \begin{align*} & \textbf{输入: } \text{底数 }y,\text{指数 } d={d_n,\cdots,d_0}_2,\text{模数 } N \ & r = 1 \ & \textbf{for } i=|n| \text{ downto } 0: \ & \quad\textbf{if } d_i == 1: \ & \quad\quad r = r * y \mod{N} \ & \quad y = y * y \mod{N} \ & \textbf{return }r \end{align*} $$

代码根据指数位 $d_i$ 进行分支，违反了恒定时间原则。当 $d_i = 1$ 时，会进行一次额外的乘法运算，增加执行时间并泄漏位信息。

蒙哥马利乘法（常用于模运算）也会泄漏时序：当中间值超过模数 $N$ 时，需要额外的约简步骤。攻击者构造输入 $y$ 和 $y'$，使得：

$$ \begin{align*} y^2 < y^3 < N \ y'^2 < N \leq y'^3 \end{align*} $$

对于 $y$，两次乘法都耗时 $t_1+t_1$。对于 $y'$，第二次乘法需要约简，耗时 $t_1+t_2$。这种时序差异揭示了 $d_i$ 是 0 还是 1。

在以下情况应用恒定时间分析：

审计密码学实现（原语、协议）
代码处理秘密密钥、密码或敏感密码学材料
从头实现密码算法
审查涉及密码学代码的 PR
调查潜在的时序漏洞

在以下情况考虑替代方案：

代码不处理秘密数据
没有秘密输入的公共算法
非密码学时序要求（性能优化）

场景	推荐方法	技能
证明无泄漏	形式化验证	SideTrail, ct-verif, FaCT
检测统计时序差异	统计测试	dudect
在运行时跟踪秘密数据流	动态分析	timecop
查找缓存时序漏洞	符号执行	Binsec, pitchfork

恒定时间工具类别

密码学界开发了四类时序分析工具：

类别	方法	优点	缺点
形式化	对模型进行数学证明	保证无泄漏	复杂性，建模假设
符号化	符号执行路径	具体反例	耗时的路径探索
动态	使用标记秘密的运行时跟踪	细粒度，灵活	覆盖范围限于执行路径
统计	测量实际执行时间	实用，设置简单	无根本原因，对噪声敏感

形式化验证在代码的抽象（模型）上数学证明时序属性。工具从源代码/二进制文件创建模型，并验证其满足指定属性（例如，变量被注释为秘密）。

优点： 无泄漏证明，语言无关（LLVM 字节码） 缺点： 需要专业知识，建模假设可能遗漏实际问题

符号执行分析路径和内存访问如何依赖于符号变量（秘密）。提供具体反例。专注于缓存时序攻击。

优点： 具体反例有助于调试 缺点： 路径爆炸导致执行时间长

动态分析标记敏感内存区域并跟踪执行以检测依赖于时序的操作。

Memsan: 教程
Timecop (见下文)

优点： 细粒度控制，针对性分析 缺点： 覆盖范围限于执行路径

详细指南： 有关设置和使用，请参阅 timecop 技能。

使用各种输入执行代码，测量耗时，并检测不一致性。测试包括编译器优化和架构在内的实际实现。

dudect (见下文)
tlsfuzzer

优点： 设置简单，实用的现实世界结果 缺点： 无根本原因信息，噪声掩盖弱信号

详细指南： 有关设置和使用，请参阅 dudect 技能。

Phase 1: Static Analysis        Phase 2: Statistical Testing
┌─────────────────┐            ┌─────────────────┐
│ Identify secret │      →     │ Detect timing   │
│ data flow       │            │ differences     │
│ Tool: ct-verif  │            │ Tool: dudect    │
└─────────────────┘            └─────────────────┘
         ↓                              ↓
Phase 4: Root Cause             Phase 3: Dynamic Tracing
┌─────────────────┐            ┌─────────────────┐
│ Pinpoint leak   │      ←     │ Track secret    │
│ location        │            │ propagation     │
│ Tool: Timecop   │            │ Tool: Timecop   │
└─────────────────┘            └─────────────────┘

从 dudect 开始 - 快速统计检查时序差异
如果发现泄漏 - 使用 Timecop 定位根本原因
对于高保证性 - 应用形式化验证（ct-verif, SideTrail）
持续监控 - 将 dudect 集成到 CI 流水线中

Dudect - 统计分析

Dudect 测量两个输入类别（固定与随机）的执行时间，并使用 Welch t 检验来检测统计上显著的差异。

详细指南： 有关完整设置、使用模式和 CI 集成，请参阅 dudect 技能。

恒定时间分析快速入门

#define DUDECT_IMPLEMENTATION
#include "dudect.h"

uint8_t do_one_computation(uint8_t *data) {
    // Code to measure goes here
}

void prepare_inputs(dudect_config_t *c, uint8_t *input_data, uint8_t *classes) {
    for (size_t i = 0; i < c->number_measurements; i++) {
        classes[i] = randombit();
        uint8_t *input = input_data + (size_t)i * c->chunk_size;
        if (classes[i] == 0) {
            // Fixed input class
        } else {
            // Random input class
        }
    }
}

简单的 C 头文件集成
通过 Welch t 检验实现统计严谨性
适用于编译后的二进制文件（真实世界条件）

检测到泄漏时无根本原因信息
对测量噪声敏感
无法保证无泄漏（仅统计置信度）

Timecop - 动态跟踪

Timecop 包装 Valgrind 以检测依赖于秘密内存区域的运行时操作。

详细指南： 有关安装、示例和调试，请参阅 timecop 技能。

恒定时间分析快速入门

#include "valgrind/memcheck.h"

#define poison(addr, len) VALGRIND_MAKE_MEM_UNDEFINED(addr, len)
#define unpoison(addr, len) VALGRIND_MAKE_MEM_DEFINED(addr, len)

int main() {
    unsigned long long secret_key = 0x12345678;

    // Mark secret as poisoned
    poison(&secret_key, sizeof(secret_key));

    // Any branching or memory access dependent on secret_key
    // will be reported by Valgrind
    crypto_operation(secret_key);

    unpoison(&secret_key, sizeof(secret_key));
}

使用 Valgrind 运行：

valgrind --leak-check=full --track-origins=yes ./binary

精确定位时序泄漏的确切行
无需代码插桩
跟踪秘密在执行过程中的传播

无法检测微架构时序差异
覆盖范围限于执行路径
性能开销（在模拟 CPU 上运行）

阶段 1：初步评估

识别处理秘密的密码学代码：

私钥、指数、随机数
密码哈希、认证令牌
加密/解密操作

快速统计检查：

为密码函数编写 dudect 测试套件
运行 5-10 分钟，使用 timeout 600 ./ct_test
监控 t 值：绝对值高表示泄漏

工具： dudect 预计时间： 1-2 小时（测试套件编写 + 初始运行）

阶段 2：详细分析

如果 dudect 检测到泄漏：

根本原因调查：

使用 Timecop poison() 标记秘密变量
在 Valgrind 下运行以识别确切行
审查四种常见的违规模式
检查汇编输出中的条件分支

工具： Timecop, 编译器输出 (objdump -d)

修复时序泄漏：

用恒定时间选择（按位操作）替换条件分支
使用恒定时间比较函数
用恒定时间替代方案或掩码替换数组查找
验证编译器没有优化掉恒定时间代码

再次运行 dudect 较长时间（30 分钟以上）
在不同的编译器和优化级别下测试
在不同的 CPU 架构上测试

阶段 4：持续监控

集成到 CI 中：

将 dudect 测试添加到测试套件
在 CI 中运行固定时长（5-10 分钟）
如果检测到泄漏，则构建失败

有关 CI 集成示例，请参阅 dudect 技能。

漏洞	描述	检测	严重性
依赖于秘密的分支	`if (secret_bit) { ... }`	dudect, Timecop	严重
依赖于秘密的数组访问	`table[secret_index]`	Timecop, Binsec	高
可变时间除法	`result = x / secret`	Timecop	中
可变时间移位	`result = x << secret`	Timecop	中
蒙哥马利约简泄漏	中间值 > N 时的额外约简	dudect	高

依赖于秘密的分支：深入探讨

漏洞： 执行时间根据是否执行分支而不同。常见于优化的模幂运算（平方乘幂）。

如何使用 dudect 检测：

uint8_t do_one_computation(uint8_t *data) {
    uint64_t base = ((uint64_t*)data)[0];
    uint64_t exponent = ((uint64_t*)data)[1]; // Secret!
    return mod_exp(base, exponent, MODULUS);
}

void prepare_inputs(dudect_config_t *c, uint8_t *input_data, uint8_t *classes) {
    for (size_t i = 0; i < c->number_measurements; i++) {
        classes[i] = randombit();
        uint64_t *input = (uint64_t*)(input_data + i * c->chunk_size);
        input[0] = rand(); // Random base
        input[1] = (classes[i] == 0) ? FIXED_EXPONENT : rand(); // Fixed vs random
    }
}

如何使用 Timecop 检测：

poison(&exponent, sizeof(exponent));
result = mod_exp(base, exponent, modulus);
unpoison(&exponent, sizeof(exponent));

Valgrind 将报告：

Conditional jump or move depends on uninitialised value(s)
  at 0x40115D: mod_exp (example.c:14)

相关技能： dudect , timecop

案例研究：OpenSSL RSA 时序攻击

Brumley 和 Boneh (2005) 通过网络从 OpenSSL 中提取了 RSA 私钥。该漏洞利用了蒙哥马利乘法的可变时间约简步骤。

攻击向量： 模幂运算中的时序差异 检测方法： 统计分析（dudect 的前身） 影响： 远程密钥提取

使用的工具： 自定义时序测量 应用的技术： 统计分析、选择密文查询

案例研究：KyberSlash

后量子算法 Kyber 的参考实现包含多项式操作中的时序漏洞。除法操作泄漏了秘密系数。

攻击向量： 依赖于秘密的除法时序 检测方法： 动态分析和统计测试 影响： 后量子密码学中的秘密密钥恢复

使用的工具： 时序测量工具 应用的技术： 差分时序分析

技巧	为何有帮助
将 dudect 固定到隔离的 CPU 核心 (`taskset -c 2`)	减少操作系统噪声，提高信号检测
测试多个编译器（gcc, clang, MSVC）	优化可能引入或消除泄漏
长时间运行 dudect（数小时）	增加统计置信度
最小化测试套件中的非密码学代码	减少掩盖弱信号的噪声
检查汇编输出 (`objdump -d`)	验证编译器未引入分支
在测试中使用 `-O3 -march=native`	匹配生产优化级别

错误	为何错误	正确方法
仅测试一种输入分布	可能遗漏其他模式可见的泄漏	测试固定 vs 随机、固定 vs 不同固定等
dudect 运行时间短（< 1 分钟）	测量不足，无法检测弱信号	运行 5-10+ 分钟，高保证性需要更长时间
忽略编译器优化级别	`-O0` 可能隐藏 `-O3` 中存在的泄漏	在生产优化级别测试
未在目标架构上测试	x86 与 ARM 具有不同的时序特性	在部署平台上测试
在 Timecop 中标记过多内容为秘密	误报，结果不清晰	仅标记真正的秘密（密钥，而非公共数据）

技能	在恒定时间分析中的主要用途
dudect	通过 Welch t 检验统计检测时序差异
timecop	动态跟踪以精确定位时序泄漏位置

技能	何时应用
coverage-analysis	确保测试输入覆盖密码函数的所有代码路径
ci-integration	在持续集成流水线中自动化恒定时间测试

技能	关系
crypto-testing	恒定时间分析是密码学测试的重要组成部分
fuzzing	模糊测试密码学代码可能触发依赖于时序的路径

技能依赖关系图

                    ┌─────────────────────────┐
                    │  constant-time-analysis │
                    │     (this skill)        │
                    └───────────┬─────────────┘
                                │
                ┌───────────────┴───────────────┐
                │                               │
                ▼                               ▼
    ┌───────────────────┐           ┌───────────────────┐
    │      dudect       │           │     timecop       │
    │  (statistical)    │           │    (dynamic)      │
    └────────┬──────────┘           └────────┬──────────┘
             │                               │
             └───────────────┬───────────────┘
                             │
                             ▼
              ┌──────────────────────────────┐
              │   Supporting Techniques      │
              │ coverage, CI integration     │
              └──────────────────────────────┘

这些结果必定是假的：恒定时间分析工具的可用性评估 对恒定时间分析工具的全面可用性研究。主要发现：开发人员难以处理误报，需要更好的错误消息，并受益于工具集成。评估了 FaCT、ct-verif、dudect 和 Memsan 在多个密码学实现上的表现。建议改进工具用户体验和更好的文档。

恒定时间工具列表 - CROCS 带有教程的恒定时间分析工具精选目录。涵盖形式化工具（ct-verif, FaCT）、动态工具（Memsan, Timecop）、符号化工具（Binsec）和统计工具（dudect）。包含设置和使用的实用教程。

Paul Kocher: 对 Diffie-Hellman、RSA、DSS 和其他系统实现的时序攻击 介绍时序攻击的原始 1996 年论文。演示了对 RSA 和 Diffie-Hellman 中模幂运算的攻击。理解时序漏洞的重要历史背景。

远程时序攻击是实用的 (Brumley& Boneh) 演示了对 OpenSSL 的实际远程时序攻击。表明网络级时序差异足以提取 RSA 密钥。证明时序攻击在现实网络条件下有效。

对 AES 的缓存时序攻击 表明使用查找表的 AES 实现容易受到缓存时序攻击。演示了通过缓存时序侧信道提取 AES 密钥的实际攻击。

KyberSlash: 除法时序泄漏秘密 最近在 Kyber（NIST 后量子标准）中发现的时序漏洞。表明除法操作泄漏秘密系数。强调即使在现代后量子密码学中，恒定时间问题仍然存在。

Trail of Bits: 恒定时间编程 - 恒定时间编程原则和工具概述

🇺🇸English

Constant-Time Testing

Timing attacks exploit variations in execution time to extract secret information from cryptographic implementations. Unlike cryptanalysis that targets theoretical weaknesses, timing attacks leverage implementation flaws - and they can affect any cryptographic code.

Background

Timing attacks were introduced by Kocher in 1996. Since then, researchers have demonstrated practical attacks on RSA (Schindler), OpenSSL (Brumley and Boneh), AES implementations, and even post-quantum algorithms like Kyber.

Key Concepts

Concept	Description
Constant-time	Code path and memory accesses independent of secret data
Timing leakage	Observable execution time differences correlated with secrets
Side channel	Information extracted from implementation rather than algorithm
Microarchitecture	CPU-level timing differences (cache, division, shifts)

Why This Matters

Timing vulnerabilities can:

Expose private keys - Extract secret exponents in RSA/ECDH
Enable remote attacks - Network-observable timing differences
Bypass cryptographic security - Undermine theoretical guarantees
Persist silently - Often undetected without specialized analysis

Two prerequisites enable exploitation:

Access to oracle - Sufficient queries to the vulnerable implementation
Timing dependency - Correlation between execution time and secret data

Common Constant-Time Violation Patterns

Four patterns account for most timing vulnerabilities:

// 1. Conditional jumps - most severe timing differences
if(secret == 1) { ... }
while(secret > 0) { ... }

// 2. Array access - cache-timing attacks
lookup_table[secret];

// 3. Integer division (processor dependent)
data = secret / m;

// 4. Shift operation (processor dependent)
data = a << secret;

Conditional jumps cause different code paths, leading to vast timing differences.

Array access dependent on secrets enables cache-timing attacks, as shown in AES cache-timing research.

Integer division and shift operations leak secrets on certain CPU architectures and compiler configurations.

When patterns cannot be avoided, employ masking techniques to remove correlation between timing and secrets.

Example: Modular Exponentiation Timing Attacks

Modular exponentiation (used in RSA and Diffie-Hellman) is susceptible to timing attacks. RSA decryption computes:

$$ct^{d} \mod{N}$$

where $d$ is the secret exponent. The exponentiation by squaring optimization reduces multiplications to $\log{d}$:

$$ \begin{align*} & \textbf{Input: } \text{base }y,\text{exponent } d={d_n,\cdots,d_0}_2,\text{modulus } N \ & r = 1 \ & \textbf{for } i=|n| \text{ downto } 0: \ & \quad\textbf{if } d_i == 1: \ & \quad\quad r = r * y \mod{N} \ & \quad y = y * y \mod{N} \ & \textbf{return }r \end{align*} $$

The code branches on exponent bit $d_i$, violating constant-time principles. When $d_i = 1$, an additional multiplication occurs, increasing execution time and leaking bit information.

Montgomery multiplication (commonly used for modular arithmetic) also leaks timing: when intermediate values exceed modulus $N$, an additional reduction step is required. An attacker constructs inputs $y$ and $y'$ such that:

$$ \begin{align*} y^2 < y^3 < N \ y'^2 < N \leq y'^3 \end{align*} $$

For $y$, both multiplications take time $t_1+t_1$. For $y'$, the second multiplication requires reduction, taking time $t_1+t_2$. This timing difference reveals whether $d_i$ is 0 or 1.

When to Use

Apply constant-time analysis when:

Auditing cryptographic implementations (primitives, protocols)
Code handles secret keys, passwords, or sensitive cryptographic material
Implementing crypto algorithms from scratch
Reviewing PRs that touch crypto code
Investigating potential timing vulnerabilities

Consider alternatives when:

Code does not process secret data
Public algorithms with no secret inputs
Non-cryptographic timing requirements (performance optimization)

Quick Reference

Scenario	Recommended Approach	Skill
Prove absence of leaks	Formal verification	SideTrail, ct-verif, FaCT
Detect statistical timing differences	Statistical testing	dudect
Track secret data flow at runtime	Dynamic analysis	timecop
Find cache-timing vulnerabilities	Symbolic execution	Binsec, pitchfork

Constant-Time Tooling Categories

The cryptographic community has developed four categories of timing analysis tools:

Category	Approach	Pros	Cons
Formal	Mathematical proof on model	Guarantees absence of leaks	Complexity, modeling assumptions
Symbolic	Symbolic execution paths	Concrete counterexamples	Time-intensive path exploration
Dynamic	Runtime tracing with marked secrets	Granular, flexible	Limited coverage to executed paths
Statistical	Measure real execution timing	Practical, simple setup	No root cause, noise sensitivity

1. Formal Tools

Formal verification mathematically proves timing properties on an abstraction (model) of code. Tools create a model from source/binary and verify it satisfies specified properties (e.g., variables annotated as secret).

Popular tools:

Strengths: Proof of absence, language-agnostic (LLVM bytecode) Weaknesses: Requires expertise, modeling assumptions may miss real-world issues

2. Symbolic Tools

Symbolic execution analyzes how paths and memory accesses depend on symbolic variables (secrets). Provides concrete counterexamples. Focus on cache-timing attacks.

Popular tools:

Strengths: Concrete counterexamples aid debugging Weaknesses: Path explosion leads to long execution times

3. Dynamic Tools

Dynamic analysis marks sensitive memory regions and traces execution to detect timing-dependent operations.

Popular tools:

Memsan: Tutorial
Timecop (see below)

Strengths: Granular control, targeted analysis Weaknesses: Coverage limited to executed paths

Detailed Guidance: See the timecop skill for setup and usage.

4. Statistical Tools

Execute code with various inputs, measure elapsed time, and detect inconsistencies. Tests actual implementation including compiler optimizations and architecture.

Popular tools:

dudect (see below)
tlsfuzzer

Strengths: Simple setup, practical real-world results Weaknesses: No root cause info, noise obscures weak signals

Detailed Guidance: See the dudect skill for setup and usage.

Testing Workflow

Phase 1: Static Analysis        Phase 2: Statistical Testing
┌─────────────────┐            ┌─────────────────┐
│ Identify secret │      →     │ Detect timing   │
│ data flow       │            │ differences     │
│ Tool: ct-verif  │            │ Tool: dudect    │
└─────────────────┘            └─────────────────┘
         ↓                              ↓
Phase 4: Root Cause             Phase 3: Dynamic Tracing
┌─────────────────┐            ┌─────────────────┐
│ Pinpoint leak   │      ←     │ Track secret    │
│ location        │            │ propagation     │
│ Tool: Timecop   │            │ Tool: Timecop   │
└─────────────────┘            └─────────────────┘

Recommended approach:

Start with dudect - Quick statistical check for timing differences
If leaks found - Use Timecop to pinpoint root cause
For high-assurance - Apply formal verification (ct-verif, SideTrail)
Continuous monitoring - Integrate dudect into CI pipeline

Tools and Approaches

Dudect - Statistical Analysis

Dudect measures execution time for two input classes (fixed vs random) and uses Welch's t-test to detect statistically significant differences.

Detailed Guidance: See the dudect skill for complete setup, usage patterns, and CI integration.

Quick Start for Constant-Time Analysis

#define DUDECT_IMPLEMENTATION
#include "dudect.h"

uint8_t do_one_computation(uint8_t *data) {
    // Code to measure goes here
}

void prepare_inputs(dudect_config_t *c, uint8_t *input_data, uint8_t *classes) {
    for (size_t i = 0; i < c->number_measurements; i++) {
        classes[i] = randombit();
        uint8_t *input = input_data + (size_t)i * c->chunk_size;
        if (classes[i] == 0) {
            // Fixed input class
        } else {
            // Random input class
        }
    }
}

Key advantages:

Simple C header-only integration
Statistical rigor via Welch's t-test
Works with compiled binaries (real-world conditions)

Key limitations:

No root cause information when leak detected
Sensitive to measurement noise
Cannot guarantee absence of leaks (statistical confidence only)

Timecop - Dynamic Tracing

Timecop wraps Valgrind to detect runtime operations dependent on secret memory regions.

Detailed Guidance: See the timecop skill for installation, examples, and debugging.

Quick Start for Constant-Time Analysis

#include "valgrind/memcheck.h"

#define poison(addr, len) VALGRIND_MAKE_MEM_UNDEFINED(addr, len)
#define unpoison(addr, len) VALGRIND_MAKE_MEM_DEFINED(addr, len)

int main() {
    unsigned long long secret_key = 0x12345678;

    // Mark secret as poisoned
    poison(&secret_key, sizeof(secret_key));

    // Any branching or memory access dependent on secret_key
    // will be reported by Valgrind
    crypto_operation(secret_key);

    unpoison(&secret_key, sizeof(secret_key));
}

Run with Valgrind:

valgrind --leak-check=full --track-origins=yes ./binary

Key advantages:

Pinpoints exact line of timing leak
No code instrumentation required
Tracks secret propagation through execution

Key limitations:

Cannot detect microarchitecture timing differences
Coverage limited to executed paths
Performance overhead (runs on synthetic CPU)

Implementation Guide

Phase 1: Initial Assessment

Identify cryptographic code handling secrets:

Private keys, exponents, nonces
Password hashes, authentication tokens
Encryption/decryption operations

Quick statistical check:

Write dudect harness for the crypto function
Run for 5-10 minutes with timeout 600 ./ct_test
Monitor t-value: high absolute values indicate leakage

Tools: dudect Expected time: 1-2 hours (harness writing + initial run)

Phase 2: Detailed Analysis

If dudect detects leakage:

Root cause investigation:

Mark secret variables with Timecop poison()
Run under Valgrind to identify exact line
Review the four common violation patterns
Check assembly output for conditional branches

Tools: Timecop, compiler output (objdump -d)

Phase 3: Remediation

Fix the timing leak:

Replace conditional branches with constant-time selection (bitwise operations)
Use constant-time comparison functions
Replace array lookups with constant-time alternatives or masking
Verify compiler doesn't optimize away constant-time code

Re-verify:

Run dudect again for extended period (30+ minutes)
Test across different compilers and optimization levels
Test on different CPU architectures

Phase 4: Continuous Monitoring

Integrate into CI:

Add dudect tests to test suite
Run for fixed duration (5-10 minutes in CI)
Fail build if leakage detected

See the dudect skill for CI integration examples.

Common Vulnerabilities

Vulnerability	Description	Detection	Severity
Secret-dependent branch	`if (secret_bit) { ... }`	dudect, Timecop	CRITICAL
Secret-dependent array access	`table[secret_index]`	Timecop, Binsec	HIGH
Variable-time division	`result = x / secret`	Timecop	MEDIUM
Variable-time shift	`result = x << secret`	Timecop	MEDIUM

Secret-Dependent Branch: Deep Dive

The vulnerability: Execution time differs based on whether branch is taken. Common in optimized modular exponentiation (square-and-multiply).

How to detect with dudect:

uint8_t do_one_computation(uint8_t *data) {
    uint64_t base = ((uint64_t*)data)[0];
    uint64_t exponent = ((uint64_t*)data)[1]; // Secret!
    return mod_exp(base, exponent, MODULUS);
}

void prepare_inputs(dudect_config_t *c, uint8_t *input_data, uint8_t *classes) {
    for (size_t i = 0; i < c->number_measurements; i++) {
        classes[i] = randombit();
        uint64_t *input = (uint64_t*)(input_data + i * c->chunk_size);
        input[0] = rand(); // Random base
        input[1] = (classes[i] == 0) ? FIXED_EXPONENT : rand(); // Fixed vs random
    }
}

How to detect with Timecop:

poison(&exponent, sizeof(exponent));
result = mod_exp(base, exponent, modulus);
unpoison(&exponent, sizeof(exponent));

Valgrind will report:

Conditional jump or move depends on uninitialised value(s)
  at 0x40115D: mod_exp (example.c:14)

Related skill: dudect , timecop

Case Studies

Case Study: OpenSSL RSA Timing Attack

Brumley and Boneh (2005) extracted RSA private keys from OpenSSL over a network. The vulnerability exploited Montgomery multiplication's variable-time reduction step.

Attack vector: Timing differences in modular exponentiation Detection approach: Statistical analysis (precursor to dudect) Impact: Remote key extraction

Tools used: Custom timing measurement Techniques applied: Statistical analysis, chosen-ciphertext queries

Case Study: KyberSlash

Post-quantum algorithm Kyber's reference implementation contained timing vulnerabilities in polynomial operations. Division operations leaked secret coefficients.

Attack vector: Secret-dependent division timing Detection approach: Dynamic analysis and statistical testing Impact: Secret key recovery in post-quantum cryptography

Tools used: Timing measurement tools Techniques applied: Differential timing analysis

Advanced Usage

Tips and Tricks

Tip	Why It Helps
Pin dudect to isolated CPU core (`taskset -c 2`)	Reduces OS noise, improves signal detection
Test multiple compilers (gcc, clang, MSVC)	Optimizations may introduce or remove leaks
Run dudect for extended periods (hours)	Increases statistical confidence
Minimize non-crypto code in harness	Reduces noise that masks weak signals
Check assembly output (`objdump -d`)	Verify compiler didn't introduce branches
Use `-O3 -march=native` in testing	Matches production optimization levels

Common Mistakes

Mistake	Why It's Wrong	Correct Approach
Only testing one input distribution	May miss leaks visible with other patterns	Test fixed-vs-random, fixed-vs-fixed-different, etc.
Short dudect runs (< 1 minute)	Insufficient measurements for weak signals	Run 5-10+ minutes, longer for high assurance
Ignoring compiler optimization levels	`-O0` may hide leaks present in `-O3`	Test at production optimization level
Not testing on target architecture	x86 vs ARM have different timing characteristics	Test on deployment platform
Marking too much as secret in Timecop	False positives, unclear results	Mark only true secrets (keys, not public data)

Related Skills

Tool Skills

Skill	Primary Use in Constant-Time Analysis
dudect	Statistical detection of timing differences via Welch's t-test
timecop	Dynamic tracing to pinpoint exact location of timing leaks

Technique Skills

Skill	When to Apply
coverage-analysis	Ensure test inputs exercise all code paths in crypto function
ci-integration	Automate constant-time testing in continuous integration pipeline

Related Domain Skills

Skill	Relationship
crypto-testing	Constant-time analysis is essential component of cryptographic testing
fuzzing	Fuzzing crypto code may trigger timing-dependent paths

Skill Dependency Map

                    ┌─────────────────────────┐
                    │  constant-time-analysis │
                    │     (this skill)        │
                    └───────────┬─────────────┘
                                │
                ┌───────────────┴───────────────┐
                │                               │
                ▼                               ▼
    ┌───────────────────┐           ┌───────────────────┐
    │      dudect       │           │     timecop       │
    │  (statistical)    │           │    (dynamic)      │
    └────────┬──────────┘           └────────┬──────────┘
             │                               │
             └───────────────┬───────────────┘
                             │
                             ▼
              ┌──────────────────────────────┐
              │   Supporting Techniques      │
              │ coverage, CI integration     │
              └──────────────────────────────┘

Resources

Key External Resources

These results must be false: A usability evaluation of constant-time analysis tools Comprehensive usability study of constant-time analysis tools. Key findings: developers struggle with false positives, need better error messages, and benefit from tool integration. Evaluates FaCT, ct-verif, dudect, and Memsan across multiple cryptographic implementations. Recommends improved tooling UX and better documentation.

List of constant-time tools - CROCS Curated catalog of constant-time analysis tools with tutorials. Covers formal tools (ct-verif, FaCT), dynamic tools (Memsan, Timecop), symbolic tools (Binsec), and statistical tools (dudect). Includes practical tutorials for setup and usage.

Paul Kocher: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems Original 1996 paper introducing timing attacks. Demonstrates attacks on modular exponentiation in RSA and Diffie-Hellman. Essential historical context for understanding timing vulnerabilities.

Remote Timing Attacks are Practical (Brumley& Boneh) Demonstrates practical remote timing attacks against OpenSSL. Shows network-level timing differences are sufficient to extract RSA keys. Proves timing attacks work in realistic network conditions.

Cache-timing attacks on AES Shows AES implementations using lookup tables are vulnerable to cache-timing attacks. Demonstrates practical attacks extracting AES keys via cache timing side channels.

KyberSlash: Division Timings Leak Secrets Recent discovery of timing vulnerabilities in Kyber (NIST post-quantum standard). Shows division operations leak secret coefficients. Highlights that constant-time issues persist even in modern post-quantum cryptography.

Video Resources

Trail of Bits: Constant-Time Programming - Overview of constant-time programming principles and tools

Weekly Installs

1.1K

Repository

trailofbits/skills

GitHub Stars

3.9K

First Seen

Jan 19, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

claude-code951

opencode911

gemini-cli893

codex888

cursor866

github-copilot834

React 组合模式指南：Vercel 组件架构最佳实践，提升代码可维护性

102,200 周安装

恒定时间测试指南：防范密码学时序攻击与侧信道泄漏

🇨🇳中文介绍

恒定时间测试

背景

关键概念

为何重要

相关 Skills

常见的恒定时间违规模式

示例：模幂运算时序攻击

何时使用

快速参考

恒定时间工具类别

1. 形式化工具

2. 符号化工具

3. 动态工具

4. 统计工具

测试工作流程

工具和方法

Dudect - 统计分析

恒定时间分析快速入门

Timecop - 动态跟踪

恒定时间分析快速入门

实施指南

阶段 1：初步评估

阶段 2：详细分析

阶段 3：修复

阶段 4：持续监控

常见漏洞

依赖于秘密的分支：深入探讨

案例研究

案例研究：OpenSSL RSA 时序攻击

案例研究：KyberSlash

高级用法

技巧与窍门

常见错误

相关技能

工具技能

技术技能

相关领域技能

技能依赖关系图

资源

关键外部资源

视频资源

🇺🇸English

Constant-Time Testing

Background

Key Concepts

Why This Matters

Common Constant-Time Violation Patterns

Example: Modular Exponentiation Timing Attacks

When to Use

Quick Reference

Constant-Time Tooling Categories

1. Formal Tools

2. Symbolic Tools

3. Dynamic Tools

4. Statistical Tools

Testing Workflow

Tools and Approaches

Dudect - Statistical Analysis

Quick Start for Constant-Time Analysis

Timecop - Dynamic Tracing

Quick Start for Constant-Time Analysis

Implementation Guide

Phase 1: Initial Assessment

Phase 2: Detailed Analysis

Phase 3: Remediation

Phase 4: Continuous Monitoring

Common Vulnerabilities

Secret-Dependent Branch: Deep Dive

Case Studies

Case Study: OpenSSL RSA Timing Attack

Case Study: KyberSlash

Advanced Usage

Tips and Tricks

Common Mistakes

Related Skills

Tool Skills

Technique Skills

Related Domain Skills