Open zugzwang opened 3 weeks ago
As a slight reassurance, godbolt doesn't demonstrate such a branch in the current rust code on x86_64, although still good to ensure that it won't in a future update to LLVM.
O3 - https://godbolt.org/z/jdT4dnvEr Os - https://godbolt.org/z/YTsojG5xo
I haven't confirmed but it looks like this library is also vulnerable to https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU
See https://github.com/Argyle-Software/kyber/blob/476e22c1a1ed579f3030e1ae46077036dc384d7f/src/reference/poly.rs#L291
and the fix in the reference implementation https://github.com/pq-crystals/kyber/commit/9b8d30698a3e7449aeb34e62339d4176f11e3c6c