The constant-time property is considered the security standard for cryptographic code. Code following the constant-time discipline is free from secret-dependent branches and memory accesses, and thus avoids leaking secrets through cache and timing side-channels. The constant-time property makes a number of implicit assumptions that are fundamentally at odds with the reality of cryptographic code. Constant-time is not robust. The first issue with constant-time is that it is a whole-program property: It relies on the entirety of the code base being constant-time. But, cryptographic developers do not generally write whole programs; rather, they provide libraries and specific algorithms for other application developers to use. As such, developers of security libraries must maintain their security guarantees even when their code is operating within (potentially untrusted) application contexts. Constant-time requires memory safety. The whole-program nature of constant-time also leads to a second issue: constant-time requires memory safety of all the running code. Any memory safety bugs, whether in the library or the application, will wend their way back to side-channel leaks of secrets if not direct disclosure. And although cryptographic libraries should (and are) written to be memory-safe, it is unfortunately unrealistic to expect the same from every application that uses each library. We formalize robust constant-time and build a RobustIsoCrypt compiler that transforms the library code and protects the secrets even when they are linked with untrusted code. Our evaluation with SUPERCOP benchmarking framework shows that the performance overhead is less than five percent on average.

翻译：恒时性被认为是密码学代码的安全标准。遵循恒时规范的代码不依赖于秘密的代码分支和内存访问，从而避免通过缓存和时序侧信道泄露秘密。然而，恒时性隐含的一系列假设从根本上与密码学代码的现实相悖：恒时性并非鲁棒的。恒时性的首要问题在于它是一种全局程序属性：它依赖于整个代码库均满足恒时性。但密码学开发者通常不编写完整程序，而是提供供其他应用开发者使用的库和特定算法。因此，安全库的开发者必须确保其代码在（可能不可信的）应用环境中运行时仍能维持安全保证。恒时性要求内存安全。恒时性的全局程序性质还导致第二个问题：它要求所有运行代码均具备内存安全性。任何内存安全漏洞——无论是库本身还是应用程序中的——都将以侧信道泄露秘密的方式间接暴露，甚至直接泄露秘密。尽管密码学库应当（且确实）被编写为内存安全的，但要求使用每个库的所有应用程序同样具备内存安全却是不切实际的。我们形式化定义了鲁棒恒时性，并构建了RobustIsoCrypt编译器。该编译器可转换库代码，即使将代码与不可信代码链接时也能保护秘密。基于SUPERCOP基准测试框架的评估表明，其性能开销平均低于5%。