Give a reference implementation of `cmov` and use it in `Dec`

[bwesterb]

It is very hard to ensure data-independent constant-time operations in Python. It can be done, but it will make the specification less readable. To begin, we can't use the plain int type.

My preference is not to bother with it in kyber.py: if we'd use a cmov then we would be suggesting that the rest is constant-time as well, which it most definitely is not.

[jschanck]

Yeah I wouldn't expect it to be constant time in python. My issue is that

    if ct == ct2: # NOTE <- in production this must be done in constant time!
        return KDF(Kbar2 + H(ct))
    return KDF(z + H(ct))

only says that the comparison must be constant time. An implementer might skip the computation of KDF(Kbar2 + H(ct)) when the branch is not taken. (The wording in the spec is fine.)

So I would write something like

    return constant_time_select(ct, ct2, KDF(Kbar2 + H(ct)), KDF(z + H(ct)))

def constant_time_select(a, b, x, y):
    # WARNING! This implementation is insecure.
    # Examples of safer implementations in several languages can be found in [XXX].
    return x if a == b else y

[bwesterb]

I like your suggestion.

[bwesterb]

Still needs a reference.