[llvm-dev] _ExtInt, LLVM integers and constant time
Adrien Guinet via llvm-dev
llvm-dev at lists.llvm.org
Tue Apr 21 23:35:09 PDT 2020
Hello everyone,
After reading the nice blog post about _ExtInt, I was wondering whether
operations on i128/i256 and more generally on integer types in LLVM are
guaranteed to be constant time or not.
For instance, for now, the x86 & aarch64 backend generate constant time
code for additions on i256 integers (see https://godbolt.org/z/xMfkqz &
https://godbolt.org/z/jbkSpe), but is there some guarantee that this
will always be the case? For instance one could add an early exit if the
carry is zero at some point.
One use case is cryptography code on elliptic curves, where you need
this constant-time property to avoid side channel leakages. Such
constant-time property would be nice and allow to directly use this
extension, for which LLVM generates very efficient code (at least on
x86/aarch64).
Thanks everyone!
--
Adrien.
More information about the llvm-dev
mailing list