I’ve been thinking about this for similar reasons. At the Julia level, this isn’t too hard to achieve with a Cassette-like pass, but unfortunately there’s no guarantee LLVM won’t just undo those transformations. Of course C/C++ implementations have exactly the same problem, so all the crypto libraries that are claiming to have constant time algorithms are probably lying unless they’re 100% assembly. There have been discussions in the LLVM community in the past for adding some attribute or other support that would force LLVM to preserve some sort of constant-time-ness property, but as far as I’m aware nobody has done any work on this.
1 Like