Back to Skills

constant-time-analysis

verified

Detects timing side-channel vulnerabilities in cryptographic code. Use when implementing or reviewing crypto code, encountering division on secrets, secret-dependent branches, or constant-time programming questions in C, C++, Go, Rust, Swift, Java, Kotlin, C#, PHP, JavaScript, TypeScript, Python, or Ruby.

View on GitHub

Marketplace

trailofbits

trailofbits/skills

Plugin

constant-time-analysis

Repository
Verified Org

trailofbits/skills
1.9kstars

plugins/constant-time-analysis/skills/constant-time-analysis/SKILL.md

Last Verified

January 24, 2026

Install Skill

Select agents to install to:

Scope:
npx add-skill https://github.com/trailofbits/skills/blob/main/plugins/constant-time-analysis/skills/constant-time-analysis/SKILL.md -a claude-code --skill constant-time-analysis

Installation paths:

Claude
.claude/skills/constant-time-analysis/
Powered by add-skill CLI

Instructions

# Constant-Time Analysis

Analyze cryptographic code to detect operations that leak secret data through execution timing variations.

## When to Use

```text
User writing crypto code? ──yes──> Use this skill
         │
         no
         │
         v
User asking about timing attacks? ──yes──> Use this skill
         │
         no
         │
         v
Code handles secret keys/tokens? ──yes──> Use this skill
         │
         no
         │
         v
Skip this skill
```

**Concrete triggers:**

- User implements signature, encryption, or key derivation
- Code contains `/` or `%` operators on secret-derived values
- User mentions "constant-time", "timing attack", "side-channel", "KyberSlash"
- Reviewing functions named `sign`, `verify`, `encrypt`, `decrypt`, `derive_key`

## When NOT to Use

- Non-cryptographic code (business logic, UI, etc.)
- Public data processing where timing leaks don't matter
- Code that doesn't handle secrets, keys, or authentication tokens
- High-level API usage where timing is handled by the library

## Language Selection

Based on the file extension or language context, refer to the appropriate guide:

| Language   | File Extensions                   | Guide                                                    |
| ---------- | --------------------------------- | -------------------------------------------------------- |
| C, C++     | `.c`, `.h`, `.cpp`, `.cc`, `.hpp` | [references/compiled.md](references/compiled.md)         |
| Go         | `.go`                             | [references/compiled.md](references/compiled.md)         |
| Rust       | `.rs`                             | [references/compiled.md](references/compiled.md)         |
| Swift      | `.swift`                          | [references/swift.md](references/swift.md)               |
| Java       | `.java`                           | [references/vm-compiled.md](references/vm-compiled.md)   |
| Kotlin     | `.kt`, `.kts`                     | [references/kotlin.md](referen

Validation Details

Front Matter
Required Fields
Valid Name Format
Valid Description
Has Sections
Allowed Tools
Instruction Length:
8163 chars