#constant #constant-time #crypto #benchmark


An implementation of the DudeCT constant-time function tester

7 releases (4 breaking)

Uses new Rust 2021

0.5.0 Aug 26, 2022
0.4.1 Sep 8, 2019
0.4.0 Apr 14, 2019
0.3.1 Apr 14, 2019
0.1.0 Jul 7, 2017

#455 in Cryptography

Download history 21/week @ 2022-06-06 2/week @ 2022-06-13 7/week @ 2022-06-20 3/week @ 2022-06-27 8/week @ 2022-07-04 16/week @ 2022-07-11 7/week @ 2022-07-18 10/week @ 2022-07-25 20/week @ 2022-08-01 6/week @ 2022-08-08 5/week @ 2022-08-15 44/week @ 2022-08-22 12/week @ 2022-08-29 23/week @ 2022-09-05 13/week @ 2022-09-12 17/week @ 2022-09-19

67 downloads per month

MIT license

476 lines


Version Docs

This crate implements the DudeCT statistical methods for testing constant-time functions. It is based loosely off of the bencher crate.


Example use is as follows. Since this requires the current crate as a dependency, it is easiest to put the benchmarks in examples/. Take a look at examples/ctbench-foo.rs for sample source code.

To run all the benchmarks in examples/ctbench-foo.rs, you can simply run cargo run --release --example ctbench-foo.

To run a subset of the benchmarks in the above file that have a the substring ar in it, run cargo run --release --example ctbench-foo -- --filter ar.

To run the vec_eq benchmark continuously, collecting more samples as it goes along, run cargo run --release --example ctbench-foo -- --continuous vec_eq.

To run the benchmarks in ctbench-foo and get the raw runtimes in CSV format, run cargo run --release --example ctbench-foo -- --out data.csv.

Interpreting Output

The benchmark output looks like

bench array_eq ... : n == +0.046M, max t = +61.61472, max tau = +0.28863, (5/tau)^2 = 300

It is interpreted as follows. Firstly note that the runtime distributions are cropped at different percentiles and about 100 t-tests are performed. Of these t-tests, the one that produces the largest absolute t-value is printed as max_t. The other values printed are

  • n, indicating the number of samples used in computing this t-value
  • max_tau, which is the t-value scaled for the samples size (formally, max_tau = max_t / sqrt(n))
  • (5/tau)^2, which indicates the number of measurements that would be needed to distinguish the two distributions with t > 5

t-values greater than 5 are generally considered a good indication that the function is not constant time. t-values less than 5 does not necessarily imply that the function is constant-time, since there may be other input distributions under which the function behaves significantly differently.


Licensed under either of

at your option.


~30K SLoC