This study addresses potential timing side-channel leakage in NIST post-quantum digital signature standardization candidates. We present the first automated toolchain for verifying constant-time (CT) compliance directly on binary code. Methodologically, we integrate TIMECOP with Binsec/Rel2 to perform fine-grained, binary-level CT policy verification, and combine dudect with RTLF for statistical timing behavior analysis. Applying this framework to 14 open-source implementations from NIST’s first and second PQC standardization rounds, we systematically identify 26 timing vulnerabilities—five of which have been confirmed and patched. Our approach significantly improves the accuracy, scalability, and practical applicability of CT analysis. By enabling reproducible, integrable verification, the toolchain supports both secure implementation practices and evidence-based standardization decisions for post-quantum cryptography.

The PQDSS standardization process requires cryptographic primitives to be free from vulnerabilities, including timing and cache side-channels. Resistance to timing leakage is therefore an essential property, and achieving this typically relies on software implementations that follow constant-time principles. Moreover, ensuring that all implementations are constant-time is crucial for fair performance comparisons, as secure implementations often incur additional overhead. Such analysis also helps identify scheme proposals that are inherently difficult to implement in constant time. Because constant-time properties can be broken during compilation, it is often necessary to analyze the compiled binary directly. Since manual binary analysis is extremely challenging, automated analysis becomes highly important. Although several tools exist to assist with such analysis, they often have usability limitations and are difficult to set up correctly. To support the developers besides the NIST committee in verifying candidates, we developed a toolchain that automates configuration, execution, and result analysis for several widely used constant-time analysis tools. We selected TIMECOP and Binsec/Rel2 to verify constant-time policy compliance at the binary level, and dudect and RTLF to detect side-channel vulnerabilities through statistical analysis of execution time behavior. We demonstrate its effectiveness and practicability by evaluating the NIST PQDSS round 1 and round 2 implementations. We reported 26 issues in total to the respective developers, and 5 of them have already been fixed. We also discuss our different findings, as well as the benefits of shortcomings of the different tools.