bifurcation
commented
4 months ago I mocked this up in Godbolt and on a quick skim, I don't see any branching instructions. So maybe we're OK here. Would appreciate review by someone else, though.
Open bifurcation opened 4 months ago
bifurcation
commented
4 months ago I mocked this up in Godbolt and on a quick skim, I don't see any branching instructions. So maybe we're OK here. Would appreciate review by someone else, though.
tarcieri
commented
4 months ago Perhaps the subtle or cmov crates could be helpful?
The Kyber reference implementation has a vulnerability resulting from
clangintroducing a secret-dependent branch. The affected function there ispoly_frommsg. The analogous function in our ML-KEM implementation isEncode::<U1>::decode. We should make sure that Rust compilation does not introduce secret-dependent branches.