All skills
Skillintermediate

Constant-Time Analysis Skill

A Claude Code skill that detects timing side-channel vulnerabilities in cryptographic code by analyzing assembly or bytecode output for dangerous instructions.

Claude Code Knowledge Pack7/10/2026

Overview

Constant-Time Analysis Skill

A Claude Code skill that detects timing side-channel vulnerabilities in cryptographic code by analyzing assembly or bytecode output for dangerous instructions.

What This Skill Does

When activated, this skill helps Claude:

  • Detect timing vulnerabilities - Identifies variable-time instructions (division, floating-point) that leak secrets through execution timing
  • Analyze across architectures - Tests compiled output for x86_64, ARM64, RISC-V, and other targets
  • Support scripting languages - Analyzes PHP, JavaScript/TypeScript, Python, and Ruby via bytecode
  • Guide constant-time fixes - Provides patterns for Barrett reduction, constant-time selection, and safe comparisons
  • Integrate with CI - Produces JSON output suitable for automated pipelines

Supported Languages

LanguageAnalysis MethodReference Guide
C/C++Assembly (gcc/clang)references/compiled.md
GoAssembly (go)references/compiled.md
RustAssembly (rustc)references/compiled.md
PHPZend opcodes (VLD/OPcache)references/php.md
JavaScriptV8 bytecode (Node.js)references/javascript.md
TypeScriptV8 bytecode (tsc + Node.js)references/javascript.md
PythonCPython bytecode (dis)references/python.md
RubyYARV bytecodereferences/ruby.md

Supported Architectures (Compiled Languages)

ArchitectureDivision InstructionsCommon Use
x86_64DIV, IDIVServers, desktops
ARM64UDIV, SDIVMobile, Apple Silicon
ARMUDIV, SDIVEmbedded
RISC-VDIV, DIVU, REMEmerging platforms
PowerPCDIVW, DIVDLegacy servers
s390xD, DR, DLMainframes
i386DIV, IDIVLegacy

File Structure

skills/constant-time-analysis/
├── SKILL.md              # Entry point - routing and quick reference
├── README.md             # This file
└── references/
    ├── compiled.md       # C, C++, Go, Rust analysis
    ├── php.md            # PHP analysis (VLD installation, opcodes)
    ├── javascript.md     # JavaScript/TypeScript analysis
    ├── python.md         # Python analysis (dis module)
    └── ruby.md           # Ruby analysis (YARV)

The analyzer tool is located at ct_analyzer/analyzer.py in the plugin root.

Usage

The skill activates automatically when Claude detects:

  • Cryptographic code implementation (encryption, signing, key derivation)
  • Questions about timing attacks or constant-time programming
  • Code handling secret keys, tokens, or cryptographic material
  • Functions with division/modulo operations on potentially secret data

You can also invoke it explicitly by asking Claude to check code for timing vulnerabilities.

Example Prompts

"Check this crypto function for timing vulnerabilities"
"Is this signature verification constant-time?"
"Help me replace this division with Barrett reduction"
"Analyze this ML-KEM implementation for KyberSlash-style issues"
"What constant-time patterns should I use here?"

Quick Reference

VulnerabilityDetectionFix
Secret divisionDIV, IDIV, SDIV, UDIVBarrett reduction
Secret branchesJE, JNE, BEQ, BNEBit masking, cmov
Secret comparisonEarly-exit memcmpcrypto/subtle
Variable-time FPFDIV, FSQRTAvoid in crypto

Real-World Attacks

  • KyberSlash (2023) - Division in ML-KEM leaked keys
  • Lucky Thirteen (2013) - Padding timing in TLS
  • Timing attacks on RSA - Division in modular exponentiation