Open bifurcation opened 4 months ago
I mocked this up in Godbolt and on a quick skim, I don't see any branching instructions. So maybe we're OK here. Would appreciate review by someone else, though.
Perhaps the subtle
or cmov
crates could be helpful?
The Kyber reference implementation has a vulnerability resulting from
clang
introducing a secret-dependent branch. The affected function there ispoly_frommsg
. The analogous function in our ML-KEM implementation isEncode::<U1>::decode
. We should make sure that Rust compilation does not introduce secret-dependent branches.