Section: New Results

A domain-specific language for timing sensitive computation

Participants : Benjamin Grégoire, Sunjay Cauligi [UC San Diego] , Gilles Barthe [IMDEA] , Deian Stefan [UC San Diego] .

Real-world cryptographic code is often written in a subset of C intended to execute in constant-time, thereby avoiding timing side channel vulnerabilities. This C subset eschews structured programming as we know it: if-statements, looping constructs, and procedural abstractions can leak timing information when handling sensitive data. The resulting obfuscation has led to subtle bugs, even in widely-used high profile libraries like OpenSSL. To address the challenge of writing constant-time cryptographic code, we have participate to the development of FaCT, a crypto DSL that provides high-level but safe language constructs. The FaCT compiler uses a secrecy type system to automatically transform potentially timing-sensitive high-level code into low-level, constant-time LLVM bitcode. While the language and the type system has been developed by our collaborator, we have formalized the constant-time transformation. We have performed an empirical evaluation that uses FaCT to implement core crypto routines from several open-source projects including OpenSSL, libsodium, and curve25519-donna. Our evaluation shows that FaCT’s design makes it possible to write readable, high-level cryptographic code, with efficient, constant-time behavior. This work has been published at an international conference [7].