{"year":"2025","citation":{"chicago":"Arranz-Olmos, Santiago, Gilles Barthe, Benjamin Grégoire, Jan Jancar, Vincent Laporte, Tiago Oliveira, and Peter Schwabe. “Let’s DOIT: Using Intel’s Extended HW/SW Contract for Secure Compilation of Crypto Code.” <i>IACR Transactions on Cryptographic Hardware and Embedded Systems</i> 2025, no. 3 (2025): 644–67. <a href=\"https://doi.org/10.46586/tches.v2025.i3.644-667\">https://doi.org/10.46586/tches.v2025.i3.644-667</a>.","ieee":"S. Arranz-Olmos <i>et al.</i>, “Let’s DOIT: Using Intel’s Extended HW/SW Contract for Secure Compilation of Crypto Code,” <i>IACR Transactions on Cryptographic Hardware and Embedded Systems</i>, vol. 2025, no. 3, pp. 644–667, 2025, doi: <a href=\"https://doi.org/10.46586/tches.v2025.i3.644-667\">10.46586/tches.v2025.i3.644-667</a>.","ama":"Arranz-Olmos S, Barthe G, Grégoire B, et al. Let’s DOIT: Using Intel’s Extended HW/SW Contract for Secure Compilation of Crypto Code. <i>IACR Transactions on Cryptographic Hardware and Embedded Systems</i>. 2025;2025(3):644-667. doi:<a href=\"https://doi.org/10.46586/tches.v2025.i3.644-667\">10.46586/tches.v2025.i3.644-667</a>","apa":"Arranz-Olmos, S., Barthe, G., Grégoire, B., Jancar, J., Laporte, V., Oliveira, T., &#38; Schwabe, P. (2025). Let’s DOIT: Using Intel’s Extended HW/SW Contract for Secure Compilation of Crypto Code. <i>IACR Transactions on Cryptographic Hardware and Embedded Systems</i>, <i>2025</i>(3), 644–667. <a href=\"https://doi.org/10.46586/tches.v2025.i3.644-667\">https://doi.org/10.46586/tches.v2025.i3.644-667</a>","bibtex":"@article{Arranz-Olmos_Barthe_Grégoire_Jancar_Laporte_Oliveira_Schwabe_2025, title={Let’s DOIT: Using Intel’s Extended HW/SW Contract for Secure Compilation of Crypto Code}, volume={2025}, DOI={<a href=\"https://doi.org/10.46586/tches.v2025.i3.644-667\">10.46586/tches.v2025.i3.644-667</a>}, number={3}, journal={IACR Transactions on Cryptographic Hardware and Embedded Systems}, publisher={Universitatsbibliothek der Ruhr-Universitat Bochum}, author={Arranz-Olmos, Santiago and Barthe, Gilles and Grégoire, Benjamin and Jancar, Jan and Laporte, Vincent and Oliveira, Tiago and Schwabe, Peter}, year={2025}, pages={644–667} }","short":"S. Arranz-Olmos, G. Barthe, B. Grégoire, J. Jancar, V. Laporte, T. Oliveira, P. Schwabe, IACR Transactions on Cryptographic Hardware and Embedded Systems 2025 (2025) 644–667.","mla":"Arranz-Olmos, Santiago, et al. “Let’s DOIT: Using Intel’s Extended HW/SW Contract for Secure Compilation of Crypto Code.” <i>IACR Transactions on Cryptographic Hardware and Embedded Systems</i>, vol. 2025, no. 3, Universitatsbibliothek der Ruhr-Universitat Bochum, 2025, pp. 644–67, doi:<a href=\"https://doi.org/10.46586/tches.v2025.i3.644-667\">10.46586/tches.v2025.i3.644-667</a>."},"intvolume":"      2025","page":"644-667","publication_status":"published","publication_identifier":{"issn":["2569-2925"]},"issue":"3","title":"Let’s DOIT: Using Intel’s Extended HW/SW Contract for Secure Compilation of Crypto Code","doi":"10.46586/tches.v2025.i3.644-667","publisher":"Universitatsbibliothek der Ruhr-Universitat Bochum","date_updated":"2026-04-30T09:32:27Z","date_created":"2026-04-30T09:31:53Z","author":[{"full_name":"Arranz-Olmos, Santiago","last_name":"Arranz-Olmos","first_name":"Santiago"},{"last_name":"Barthe","full_name":"Barthe, Gilles","first_name":"Gilles"},{"full_name":"Grégoire, Benjamin","last_name":"Grégoire","first_name":"Benjamin"},{"first_name":"Jan","last_name":"Jancar","full_name":"Jancar, Jan"},{"first_name":"Vincent","last_name":"Laporte","full_name":"Laporte, Vincent"},{"first_name":"Tiago","last_name":"Oliveira","full_name":"Oliveira, Tiago"},{"first_name":"Peter","last_name":"Schwabe","full_name":"Schwabe, Peter"}],"volume":2025,"abstract":[{"text":"<jats:p>It is a widely accepted standard practice to implement cryptographic software so that secret inputs do not influence the cycle count. Software following this paradigm is often referred to as “constant-time” software and typically involves following three rules: 1) never branch on a secret-dependent condition, 2) never access memory at a secret-dependent location, and 3) avoid variable-time arithmetic operations on secret data. The third rule requires knowledge about such variable-time arithmetic instructions, or vice versa, which operations are safe to use on secret inputs. For a long time, this knowledge was based on either documentation or microbenchmarks, but critically, there were never any guarantees for future microarchitectures. This changed with the introduction of the data-operand-independent-timing (DOIT) mode on Intel CPUs and, to some extent, the data-independent-timing (DIT) mode on Arm CPUs. Both Intel and Arm document a subset of their respective instruction sets that are intended to leak no information about their inputs through timing, even on future microarchitectures if the CPU is set to run in a dedicated DOIT (or DIT) mode.In this paper, we present a principled solution that leverages DOIT to enable cryptographic software that is future-proof constant-time, in the sense that it ensures that only instructions from the DOIT subset are used to operate on secret data, even during speculative execution after a mispredicted branch or function return location. For this solution, we build on top of existing security type systems in the Jasmin framework for high-assurance cryptography.We then use our solution to evaluate the extent to which existing cryptographic software built to be “constant-time” is already secure in this stricter paradigm implied by DOIT and what the performance impact is to move from constant-time to future-proof constant-time.</jats:p>","lang":"eng"}],"status":"public","type":"journal_article","publication":"IACR Transactions on Cryptographic Hardware and Embedded Systems","_id":"65537","user_id":"125442"}