Existing speculative constant-time (SCT) analysis tools lack formal foundations, hindering reliable Spectre vulnerability detection. Method: We introduce the first formal characterization of SCT and its relationship to traditional constant-time (CT) semantics. We propose speculative passing style (SPS), a program transformation that reduces SCT verification to standard CT verification—enabling reuse of mature CT analysis tools (e.g., EasyCrypt, BINSEC, ctgrind). The transformation is both sound and complete, supporting non-interference proofs, assertion checking, and dynamic taint analysis. Contribution/Results: We validate SPS on the Spectre-v1 benchmark and demonstrate its extensibility to other Spectre variants and leakage models. This work establishes the first rigorous theoretical foundation for SCT analysis, bridging formal guarantees with practical toolchain integration.

Constant-time (CT) verification tools are commonly used for detecting potential side-channel vulnerabilities in cryptographic libraries. Recently, a new class of tools, called speculative constant-time (SCT) tools, has also been used for detecting potential Spectre vulnerabilities. In many cases, these SCT tools have emerged as liftings of CT tools. However, these liftings are seldom defined precisely and are almost never analyzed formally. The goal of this paper is to address this gap, by developing formal foundations for these liftings, and to demonstrate that these foundations can yield practical benefits. Concretely, we introduce a program transformation, coined Speculation-Passing Style (SPS), for reducing SCT verification to CT verification. Essentially, the transformation instruments the program with a new input that corresponds to attacker-controlled predictions and modifies the program to follow them. This approach is sound and complete, in the sense that a program is SCT if and only if its SPS transform is CT. Thus, we can leverage existing CT verification tools to prove SCT; we illustrate this by combining SPS with three standard methodologies for CT verification, namely reducing it to non-interference, assertion safety and dynamic taint analysis. We realize these combinations with three existing tools, EasyCrypt, BINSEC, and ctgrind, and we evaluate them on Kocher's benchmarks for Spectre-v1. Our results focus on Spectre-v1 in the standard CT leakage model; however, we also discuss applications of our method to other variants of Spectre and other leakage models.