Checking that functions are constant time with Valgrind (2010)
10 points
4 days ago
| 2 comments
| imperialviolet.org
| HN
weinzierl
2 days ago
[-]
"That's assuming that the fundamental processor instructions are constant time, but that's true for all sane CPUs."

Is this really true? Does't the runtime of some arithmetic instructions (like IDIV) depend on the argument?

reply
pm215
2 days ago
[-]
Yes, especially as CPUs have got faster and put in more clever tricks to improve performance (bear in mind that this blog post is 15 years old). Modern architectures have introduced modes to allow you to turn this off so that for your crypto code you can get back the not-data-dependent timing you wanted. For instance on Arm that's FEAT_DIT:

https://developer.arm.com/documentation/ddi0601/2025-06/AArc...

and the set of instructions you can safely use is listed.

I believe Intel has a similar thing.

reply
quotemstr
2 days ago
[-]
Partial solutions are still valuable. This valgrind hack lets you pose the question "Is this code constant time?"

It doesn't tell you "yes" or "no", but it does tell you "definitely not" or "maybe". This information is useful even if it's not the whole story.

reply
monkeyelite
2 days ago
[-]
There is a small bound for an integer of a given length.
reply
paulf38
2 days ago
[-]
That's a 15 year old blog post and the linked GH repo hasn't been updated.
reply
bobmcnamara
2 days ago
[-]
It wasn't true back then, but should be common knowledge now: branches have variable timing.
reply