---
_id: '65537'
abstract:
- lang: eng
  text: '<jats:p>It is a widely accepted standard practice to implement cryptographic
    software so that secret inputs do not influence the cycle count. Software following
    this paradigm is often referred to as “constant-time” software and typically involves
    following three rules: 1) never branch on a secret-dependent condition, 2) never
    access memory at a secret-dependent location, and 3) avoid variable-time arithmetic
    operations on secret data. The third rule requires knowledge about such variable-time
    arithmetic instructions, or vice versa, which operations are safe to use on secret
    inputs. For a long time, this knowledge was based on either documentation or microbenchmarks,
    but critically, there were never any guarantees for future microarchitectures.
    This changed with the introduction of the data-operand-independent-timing (DOIT)
    mode on Intel CPUs and, to some extent, the data-independent-timing (DIT) mode
    on Arm CPUs. Both Intel and Arm document a subset of their respective instruction
    sets that are intended to leak no information about their inputs through timing,
    even on future microarchitectures if the CPU is set to run in a dedicated DOIT
    (or DIT) mode.In this paper, we present a principled solution that leverages DOIT
    to enable cryptographic software that is future-proof constant-time, in the sense
    that it ensures that only instructions from the DOIT subset are used to operate
    on secret data, even during speculative execution after a mispredicted branch
    or function return location. For this solution, we build on top of existing security
    type systems in the Jasmin framework for high-assurance cryptography.We then use
    our solution to evaluate the extent to which existing cryptographic software built
    to be “constant-time” is already secure in this stricter paradigm implied by DOIT
    and what the performance impact is to move from constant-time to future-proof
    constant-time.</jats:p>'
author:
- first_name: Santiago
  full_name: Arranz-Olmos, Santiago
  last_name: Arranz-Olmos
- first_name: Gilles
  full_name: Barthe, Gilles
  last_name: Barthe
- first_name: Benjamin
  full_name: Grégoire, Benjamin
  last_name: Grégoire
- first_name: Jan
  full_name: Jancar, Jan
  last_name: Jancar
- first_name: Vincent
  full_name: Laporte, Vincent
  last_name: Laporte
- first_name: Tiago
  full_name: Oliveira, Tiago
  last_name: Oliveira
- first_name: Peter
  full_name: Schwabe, Peter
  last_name: Schwabe
citation:
  ama: 'Arranz-Olmos S, Barthe G, Grégoire B, et al. Let’s DOIT: Using Intel’s Extended
    HW/SW Contract for Secure Compilation of Crypto Code. <i>IACR Transactions on
    Cryptographic Hardware and Embedded Systems</i>. 2025;2025(3):644-667. doi:<a
    href="https://doi.org/10.46586/tches.v2025.i3.644-667">10.46586/tches.v2025.i3.644-667</a>'
  apa: 'Arranz-Olmos, S., Barthe, G., Grégoire, B., Jancar, J., Laporte, V., Oliveira,
    T., &#38; Schwabe, P. (2025). Let’s DOIT: Using Intel’s Extended HW/SW Contract
    for Secure Compilation of Crypto Code. <i>IACR Transactions on Cryptographic Hardware
    and Embedded Systems</i>, <i>2025</i>(3), 644–667. <a href="https://doi.org/10.46586/tches.v2025.i3.644-667">https://doi.org/10.46586/tches.v2025.i3.644-667</a>'
  bibtex: '@article{Arranz-Olmos_Barthe_Grégoire_Jancar_Laporte_Oliveira_Schwabe_2025,
    title={Let’s DOIT: Using Intel’s Extended HW/SW Contract for Secure Compilation
    of Crypto Code}, volume={2025}, DOI={<a href="https://doi.org/10.46586/tches.v2025.i3.644-667">10.46586/tches.v2025.i3.644-667</a>},
    number={3}, journal={IACR Transactions on Cryptographic Hardware and Embedded
    Systems}, publisher={Universitatsbibliothek der Ruhr-Universitat Bochum}, author={Arranz-Olmos,
    Santiago and Barthe, Gilles and Grégoire, Benjamin and Jancar, Jan and Laporte,
    Vincent and Oliveira, Tiago and Schwabe, Peter}, year={2025}, pages={644–667}
    }'
  chicago: 'Arranz-Olmos, Santiago, Gilles Barthe, Benjamin Grégoire, Jan Jancar,
    Vincent Laporte, Tiago Oliveira, and Peter Schwabe. “Let’s DOIT: Using Intel’s
    Extended HW/SW Contract for Secure Compilation of Crypto Code.” <i>IACR Transactions
    on Cryptographic Hardware and Embedded Systems</i> 2025, no. 3 (2025): 644–67.
    <a href="https://doi.org/10.46586/tches.v2025.i3.644-667">https://doi.org/10.46586/tches.v2025.i3.644-667</a>.'
  ieee: 'S. Arranz-Olmos <i>et al.</i>, “Let’s DOIT: Using Intel’s Extended HW/SW
    Contract for Secure Compilation of Crypto Code,” <i>IACR Transactions on Cryptographic
    Hardware and Embedded Systems</i>, vol. 2025, no. 3, pp. 644–667, 2025, doi: <a
    href="https://doi.org/10.46586/tches.v2025.i3.644-667">10.46586/tches.v2025.i3.644-667</a>.'
  mla: 'Arranz-Olmos, Santiago, et al. “Let’s DOIT: Using Intel’s Extended HW/SW Contract
    for Secure Compilation of Crypto Code.” <i>IACR Transactions on Cryptographic
    Hardware and Embedded Systems</i>, vol. 2025, no. 3, Universitatsbibliothek der
    Ruhr-Universitat Bochum, 2025, pp. 644–67, doi:<a href="https://doi.org/10.46586/tches.v2025.i3.644-667">10.46586/tches.v2025.i3.644-667</a>.'
  short: S. Arranz-Olmos, G. Barthe, B. Grégoire, J. Jancar, V. Laporte, T. Oliveira,
    P. Schwabe, IACR Transactions on Cryptographic Hardware and Embedded Systems 2025
    (2025) 644–667.
date_created: 2026-04-30T09:31:53Z
date_updated: 2026-04-30T09:32:27Z
doi: 10.46586/tches.v2025.i3.644-667
intvolume: '      2025'
issue: '3'
page: 644-667
publication: IACR Transactions on Cryptographic Hardware and Embedded Systems
publication_identifier:
  issn:
  - 2569-2925
publication_status: published
publisher: Universitatsbibliothek der Ruhr-Universitat Bochum
status: public
title: 'Let’s DOIT: Using Intel’s Extended HW/SW Contract for Secure Compilation of
  Crypto Code'
type: journal_article
user_id: '125442'
volume: 2025
year: '2025'
...