---
res:
  bibo_abstract:
  - Cryptography secures our online interactions, transactions, and trust. To achieve
    this goal, not only do the cryptographic primitives and protocols need to be secure
    in theory, they also need to be securely implemented by cryptographic library
    developers in practice. However, implementing cryptographic algorithms securely
    is challenging, even for skilled professionals, which can lead to vulnerable implementations,
    especially to side-channel attacks. For timing attacks, a severe class of side-channel
    attacks, there exist a multitude of tools that are supposed to help cryptographic
    library developers assess whether their code is vulnerable to timing attacks.
    Previous work has established that despite an interest in writing constant-time
    code, cryptographic library developers do not routinely use these tools due to
    their general lack of usability. However, the precise factors affecting the usability
    of these tools remain unexplored. While many of the tools are developed in an
    academic context, we believe that it is worth exploring the factors that contribute
    to or hinder their effective use by cryptographic library developers [61]. To
    assess what contributes to and detracts from usability of tools that verify constant-timeness
    (CT), we conducted a two-part usability study with 24 (post) graduate student
    participants on 6 tools across diverse tasks that approximate real-world use cases
    for cryptographic library developers. We find that all studied tools are affected
    by similar usability issues to varying degrees, with no tool excelling in usability,
    and usability issues preventing their effective use. Based on our results, we
    recommend that effective tools for verifying CT need usable documentation, simple
    installation, easy to adapt examples, clear output corresponding to CT violations,
    and minimal noninvasive code markup. We contribute first steps to achieving these
    with limited academic resources, with our documentation, examples, and installation
    scripts(1).@eng
  bibo_authorlist:
  - foaf_Person:
      foaf_givenName: M
      foaf_name: Fourn , M
      foaf_surname: 'Fourn '
  - foaf_Person:
      foaf_givenName: DD
      foaf_name: Braga, DD
      foaf_surname: Braga
  - foaf_Person:
      foaf_givenName: J
      foaf_name: Jancar, J
      foaf_surname: Jancar
  - foaf_Person:
      foaf_givenName: M
      foaf_name: Sabt, M
      foaf_surname: Sabt
  - foaf_Person:
      foaf_givenName: P
      foaf_name: Schwabe, P
      foaf_surname: Schwabe
  - foaf_Person:
      foaf_givenName: G
      foaf_name: Barthe, G
      foaf_surname: Barthe
  - foaf_Person:
      foaf_givenName: PA
      foaf_name: Fouque, PA
      foaf_surname: Fouque
  - foaf_Person:
      foaf_givenName: Y
      foaf_name: Acar, Y
      foaf_surname: Acar
  dct_date: 2024^xs_gYear
  dct_isPartOf:
  - http://id.crossref.org/issn/978-1-939133-44-1
  dct_language: eng
  dct_publisher: Usenix Assoc@
  dct_title: '"These results must be false": A usability evaluation of constant-time
    analysis tools@'
...