constant-time-analysis

This skill provides a specialized analyzer designed to identify timing side-channel vulnerabilities within cryptographic implementations. It is intended for security engineers, cryptographers, and developers tasked with writing, reviewing, or auditing sensitive code that handles secret keys, tokens, or authentication mechanisms. By analyzing execution timing variations, the tool helps prevent attacks where secret data is leaked through the time taken to perform mathematical operations or conditional branching.

• Performs automated detection of secret-dependent branches and potentially leaky mathematical operations like division or modulo on secret values.

• Supports a wide array of languages including C, C++, Go, Rust, Swift, Java, Kotlin, C#, PHP, JavaScript, TypeScript, Python, and Ruby.

• Provides architecture-aware analysis for native languages (x86_64, arm64) and bytecode-level evaluation for VM-based languages (JVM/CIL).

• Offers flexible reporting options, including standard output, warnings for conditional branches, and JSON exports for integration into CI/CD pipelines.

• Includes support for multi-platform optimization testing to ensure security invariants hold across different compiler and interpreter settings.

• Use this skill when implementing core primitives such as signature generation, decryption, key derivation, or when verifying the constant-time nature of your code.

• The analyzer is triggered by sensitive operations including signature, verify, encrypt, decrypt, and derive_key functions, as well as explicit mentions of timing attacks, KyberSlash, or side-channel concerns.

• Ensure prerequisites like specific compiler toolchains (gcc, clang, swiftc, javac, dotnet) are correctly configured in the PATH to leverage full analysis capabilities.

• Note that this tool focuses on cryptographic correctness and timing leaks; it is not intended for general-purpose performance profiling of non-cryptographic business logic.

• Consult the provided reference guides for language-specific setup, especially when working with VM-based languages like Java or C# where JIT behavior may impact observability.