[llvm-dev] _ExtInt, LLVM integers and constant time

Roman Lebedev via llvm-dev llvm-dev at lists.llvm.org
Wed Apr 22 00:24:13 PDT 2020

On Wed, Apr 22, 2020 at 9:35 AM Adrien Guinet via llvm-dev
<llvm-dev at lists.llvm.org> wrote:
> Hello everyone,
> After reading the nice blog post about _ExtInt, I was wondering whether
> operations on i128/i256 and more generally on integer types in LLVM are
> guaranteed to be constant time or not.
I don't believe there's any such guarantee even for normal 8/16/32/64
-bit integers.

> For instance, for now, the x86 & aarch64 backend generate constant time
> code for additions on i256 integers (see https://godbolt.org/z/xMfkqz &
> https://godbolt.org/z/jbkSpe), but is there some guarantee that this
> will always be the case? For instance one could add an early exit if the
> carry is zero at some point.
> One use case is cryptography code on elliptic curves, where you need
> this constant-time property to avoid side channel leakages. Such
> constant-time property would be nice and allow to directly use this
> extension, for which LLVM generates very efficient code (at least on
> x86/aarch64).
> Thanks everyone!
> --
> Adrien.

> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev

More information about the llvm-dev mailing list