Constant-time implementation
A constant-time implementation is code whose execution time and memory-access pattern do not depend on secret values such as keys or plaintext. It is the standard defense against timing and other side-channel attacks, which recover secrets by measuring how long an operation takes, which cache lines it touches, or how much power it draws, rather than by breaking the underlying mathematics.
How it is achieved
Constant-time code avoids secret-dependent branches, secret-dependent array indices, and variable-time instructions such as some division and modular-reduction paths. Comparisons and conditional selections are rewritten as arithmetic over the whole input so that control flow stays fixed. Paul Kocher's 1996 timing attacks on RSA and Diffie-Hellman first made the risk concrete, and the discipline is now standard in libraries such as the one documented by BearSSL. Post-quantum schemes carry their own hazards: rejection sampling in ML-DSA and the decapsulation check in ML-KEM must be coded carefully, and constant-time behavior is equally required when implementing AES and other primitives.
Sources
- Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems (CRYPTO 1996) (Paul C. Kocher, Springer, 1996)
- Why Constant-Time Crypto? (BearSSL, 2018)
Cite this entry
"Constant-time implementation." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/constant-time@misc{pqwiki-constant-time,
title = {Constant-time implementation},
howpublished = {\url{https://postquantum.wiki/constant-time}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}