[llvm-dev] _ExtInt, LLVM integers and constant time
Roman Lebedev via llvm-dev
llvm-dev at lists.llvm.org
Wed Apr 22 00:24:13 PDT 2020
On Wed, Apr 22, 2020 at 9:35 AM Adrien Guinet via llvm-dev
<llvm-dev at lists.llvm.org> wrote:
> Hello everyone,
> After reading the nice blog post about _ExtInt, I was wondering whether
> operations on i128/i256 and more generally on integer types in LLVM are
> guaranteed to be constant time or not.
I don't believe there's any such guarantee even for normal 8/16/32/64
> For instance, for now, the x86 & aarch64 backend generate constant time
> code for additions on i256 integers (see https://godbolt.org/z/xMfkqz &
> https://godbolt.org/z/jbkSpe), but is there some guarantee that this
> will always be the case? For instance one could add an early exit if the
> carry is zero at some point.
> One use case is cryptography code on elliptic curves, where you need
> this constant-time property to avoid side channel leakages. Such
> constant-time property would be nice and allow to directly use this
> extension, for which LLVM generates very efficient code (at least on
> Thanks everyone!
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
More information about the llvm-dev