In recent years, microarchitecturral attacks have become a significant threat to cryptographic software and hardware.  In particular, cache-based side channel attacks have had devastating effects on the underlying cryptographic primitive, often resulting in complete key compromises. In response, implementations have adopted a "constant-time" programming approach to mitigate the attacks.

Constant-time is a name for a collection of techniques that ensure that the execution of a cryptographic algorithm does not leak secret information via timing, execution path or memory access.  In a nutshell, it requires that the program uses operations whose timing is constant, and does not use secret-dependent memory accesses or branches.

To reduce the performance overhead of constant-time programming, developers have explored some relaxations of the model.  In this talk I will cover some cache-based side-channel attacks and demonstrate how relaxing constant-time programming often renders implementations vulnerable.

The talk is self contained and assumes no specialist knowledge of either processor microarchitecture or cryptography.  This is a joint work with Daniel Genkin and Nadia Heninger.