tanyav2
commented
1 year ago re:
tkn, the matrix comparisons in that same line are also not constant time. I'll create an issue to assess the need and make all necessary changes together.
This is also bottlenecked by https://github.com/cloudflare/circl/issues/286 (@armfazh) somewhat. Overall, I don't think it's worthwhile to fix one isolated instance without fixing them underlying bottleneck.
armfazh
In particular leaking z in kyber could be quite damaging: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/SJ31w0QSmIM/m/XgdBgh3wAwAJ
The changes to x25519 and x448 are unlikely to be needed, but it's more idiomatic at least.