[RFC] Constant-Time Coding Support

tarcieri · August 11, 2025, 1:15pm

Hi there, I’m one of the leads of RustCrypto.

I used to propose an attribute-based solution in [RFC] Constant Time Execution Guarantees in LLVM . It is intended to reuse the existing codebase and maintain a good performance. However, after a deep investigation on OpenSSL and BoringSSL, I found that the patterns are significantly different from other applications. Therefore, adding a set of primitives and writing specific optimizations for crypto applications seems feasible.

We are still in a position where we would prefer to replace code using new intrinsics to get constant-time guarantees, as opposed to incremental hardening. If I understand how your proposal was supposed to work, it sounds like it might make it difficult to mix constant-time and non-constant-time operations, e.g. only performing constant-time operations on values containing secrets, and using non-constant-time operations on non-secret values for performance.

In the past some of us had worked with Chandler Carruth to come up with a proposal to add “secret integer types” to Rust which would ideally lower to LLVM types which would ensure only the instructions on your list are executed on them, avoiding ever branching on them or using them in pointer calculations:

github.com/rust-lang/rfcs

added secret types rfc

master ← avadacatavra:secret-types

opened 05:42PM - 23 Jan 20 UTC

avadacatavra

+206 -0

### [Rendered](https://github.com/avadacatavra/rfcs/blob/secret-types/text/0000-…secret-types.md) The goal is to provide primitive data types that can be used to traffic in transient secrets in code that are important to not accidentally leak. These new primitives would be used in conjunction with an in-progress LLVM RFC to ensure important security invariants like secret-independent runtime are maintained throughout the compilation process. Note that we explicitly do not want secret_isize and secret_usize, because we do not want to index based on secrets.

I believe there was some internal work in Google to implement this for Rust+LLVM+RISC-V but I’m not sure that ever saw the light of day.

Using types for this purpose prevents confusion around “forgetting to use the constant time version of a function”. Ideally it should be impossible to misuse such types, aside from converting them to non-secret integer types and then performing non-constant-time operations on them.

Regarding the OP, we’ve worked around x86-cmov-conversion using inline assembly (emitting cmov family on x86, csel on ARM, with a “best effort” portable fallback with no guarantees):

I think it would be great to have first-class support for something like this in LLVM. It has become commonplace for new cryptographic specifications to use a pseudocode “CMOV”-like function to describe where to apply this sort of predication.

Topic		Replies	Views
[RFC] Constant Time Execution Guarantees in LLVM IR & Optimizations	7	740	August 8, 2025
_ExtInt, LLVM integers and constant time LLVM Dev List Archives	6	188	May 3, 2020
Side-channel resistant values LLVM Dev List Archives	14	236	September 15, 2019
[GSoC] LLVM IR Constant timeness notion LLVM Dev List Archives	0	115	March 25, 2020
GlobalISel design update and goals LLVM Dev List Archives	17	303	August 13, 2018

[RFC] Constant-Time Coding Support

Related topics