{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,10]],"date-time":"2025-06-10T04:01:43Z","timestamp":1749528103784,"version":"3.41.0"},"reference-count":0,"publisher":"Universitatsbibliothek der Ruhr-Universitat Bochum","issue":"3","license":[{"start":{"date-parts":[[2025,6,5]],"date-time":"2025-06-05T00:00:00Z","timestamp":1749081600000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["TCHES"],"abstract":"<jats:p>It is a widely accepted standard practice to implement cryptographic software so that secret inputs do not influence the cycle count. Software following this paradigm is often referred to as \u201cconstant-time\u201d software and typically involves following three rules: 1) never branch on a secret-dependent condition, 2) never access memory at a secret-dependent location, and 3) avoid variable-time arithmetic operations on secret data. The third rule requires knowledge about such variable-time arithmetic instructions, or vice versa, which operations are safe to use on secret inputs. For a long time, this knowledge was based on either documentation or microbenchmarks, but critically, there were never any guarantees for future microarchitectures. This changed with the introduction of the data-operand-independent-timing (DOIT) mode on Intel CPUs and, to some extent, the data-independent-timing (DIT) mode on Arm CPUs. Both Intel and Arm document a subset of their respective instruction sets that are intended to leak no information about their inputs through timing, even on future microarchitectures if the CPU is set to run in a dedicated DOIT (or DIT) mode.In this paper, we present a principled solution that leverages DOIT to enable cryptographic software that is future-proof constant-time, in the sense that it ensures that only instructions from the DOIT subset are used to operate on secret data, even during speculative execution after a mispredicted branch or function return location. For this solution, we build on top of existing security type systems in the Jasmin framework for high-assurance cryptography.We then use our solution to evaluate the extent to which existing cryptographic software built to be \u201cconstant-time\u201d is already secure in this stricter paradigm implied by DOIT and what the performance impact is to move from constant-time to future-proof constant-time.<\/jats:p>","DOI":"10.46586\/tches.v2025.i3.644-667","type":"journal-article","created":{"date-parts":[[2025,6,9]],"date-time":"2025-06-09T09:39:40Z","timestamp":1749461980000},"page":"644-667","source":"Crossref","is-referenced-by-count":0,"title":["Let\u2019s DOIT: Using Intel\u2019s Extended HW\/SW Contract for Secure Compilation of Crypto Code"],"prefix":"10.46586","volume":"2025","author":[{"given":"Santiago","family":"Arranz-Olmos","sequence":"first","affiliation":[]},{"given":"Gilles","family":"Barthe","sequence":"additional","affiliation":[]},{"given":"Benjamin","family":"Gr\u00e9goire","sequence":"additional","affiliation":[]},{"given":"Jan","family":"Jancar","sequence":"additional","affiliation":[]},{"given":"Vincent","family":"Laporte","sequence":"additional","affiliation":[]},{"given":"Tiago","family":"Oliveira","sequence":"additional","affiliation":[]},{"given":"Peter","family":"Schwabe","sequence":"additional","affiliation":[]}],"member":"25480","published-online":{"date-parts":[[2025,6,5]]},"container-title":["IACR Transactions on Cryptographic Hardware and Embedded Systems"],"original-title":[],"link":[{"URL":"https:\/\/ojs.ub.rub.de\/index.php\/TCHES\/article\/download\/12229\/12036","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/ojs.ub.rub.de\/index.php\/TCHES\/article\/download\/12229\/12036","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,9]],"date-time":"2025-06-09T09:39:40Z","timestamp":1749461980000},"score":1,"resource":{"primary":{"URL":"https:\/\/ojs.ub.rub.de\/index.php\/TCHES\/article\/view\/12229"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,5]]},"references-count":0,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2025,6,5]]}},"URL":"https:\/\/doi.org\/10.46586\/tches.v2025.i3.644-667","relation":{},"ISSN":["2569-2925"],"issn-type":[{"value":"2569-2925","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,5]]}}}