Fast, constant-time, correct: pick three

We've seen endless examples of cryptographic software that leaks secret information through timing or has outright bugs for some inputs. Cryptographic systems end up exploitable in the real world even without being broken in theory. Often these vulnerabilities remain undiscovered by the public for many years. The "all bugs are shallow" philosophy fails for even the simplest cryptographic computations, and is hopeless when software is made even more complicated in the pursuit of speed. Are we doomed to a neverending cycle of attacks and emergency upgrades? A convincing solution is finally coming together, as illustrated by DIT from ARM, DOIT from Intel, and s2n-bignum from AWS. This talk will give examples to illustrate how this solution works.