--- res: bibo_abstract: - 'It is a widely accepted standard practice to implement cryptographic software so that secret inputs do not influence the cycle count. Software following this paradigm is often referred to as “constant-time” software and typically involves following three rules: 1) never branch on a secret-dependent condition, 2) never access memory at a secret-dependent location, and 3) avoid variable-time arithmetic operations on secret data. The third rule requires knowledge about such variable-time arithmetic instructions, or vice versa, which operations are safe to use on secret inputs. For a long time, this knowledge was based on either documentation or microbenchmarks, but critically, there were never any guarantees for future microarchitectures. This changed with the introduction of the data-operand-independent-timing (DOIT) mode on Intel CPUs and, to some extent, the data-independent-timing (DIT) mode on Arm CPUs. Both Intel and Arm document a subset of their respective instruction sets that are intended to leak no information about their inputs through timing, even on future microarchitectures if the CPU is set to run in a dedicated DOIT (or DIT) mode.In this paper, we present a principled solution that leverages DOIT to enable cryptographic software that is future-proof constant-time, in the sense that it ensures that only instructions from the DOIT subset are used to operate on secret data, even during speculative execution after a mispredicted branch or function return location. For this solution, we build on top of existing security type systems in the Jasmin framework for high-assurance cryptography.We then use our solution to evaluate the extent to which existing cryptographic software built to be “constant-time” is already secure in this stricter paradigm implied by DOIT and what the performance impact is to move from constant-time to future-proof constant-time.@eng' bibo_authorlist: - foaf_Person: foaf_givenName: Santiago foaf_name: Arranz-Olmos, Santiago foaf_surname: Arranz-Olmos - foaf_Person: foaf_givenName: Gilles foaf_name: Barthe, Gilles foaf_surname: Barthe - foaf_Person: foaf_givenName: Benjamin foaf_name: Grégoire, Benjamin foaf_surname: Grégoire - foaf_Person: foaf_givenName: Jan foaf_name: Jancar, Jan foaf_surname: Jancar - foaf_Person: foaf_givenName: Vincent foaf_name: Laporte, Vincent foaf_surname: Laporte - foaf_Person: foaf_givenName: Tiago foaf_name: Oliveira, Tiago foaf_surname: Oliveira - foaf_Person: foaf_givenName: Peter foaf_name: Schwabe, Peter foaf_surname: Schwabe bibo_doi: 10.46586/tches.v2025.i3.644-667 bibo_issue: '3' bibo_volume: 2025 dct_date: 2025^xs_gYear dct_isPartOf: - http://id.crossref.org/issn/2569-2925 dct_publisher: Universitatsbibliothek der Ruhr-Universitat Bochum@ dct_title: 'Let’s DOIT: Using Intel’s Extended HW/SW Contract for Secure Compilation of Crypto Code@' ...