This was caught using Moritz Neikes' TIMECOP (as incorporated into SUPERCOP 20200820).
Not clear that there is a security issue here, but it is easily fixed by re-implementing poly_r2_inv.c along the lines of b1185f27 (i.e. supercop/crypto_core/invhrss701/simpler).
Output of "clang -O3" branches on the "done" flag in ref-common/poly_r2_inv.c.
Affects these calls: https://github.com/jschanck/ntru/blob/5cce29743ffd91743b53c7cbc188a13a5451a417/ref-common/poly_r2_inv.c#L84 https://github.com/jschanck/ntru/blob/5cce29743ffd91743b53c7cbc188a13a5451a417/ref-common/poly_r2_inv.c#L85 https://github.com/jschanck/ntru/blob/5cce29743ffd91743b53c7cbc188a13a5451a417/ref-common/poly_r2_inv.c#L87 https://github.com/jschanck/ntru/blob/5cce29743ffd91743b53c7cbc188a13a5451a417/ref-common/poly_r2_inv.c#L88
This was caught using Moritz Neikes' TIMECOP (as incorporated into SUPERCOP 20200820).
Not clear that there is a security issue here, but it is easily fixed by re-implementing poly_r2_inv.c along the lines of b1185f27 (i.e. supercop/crypto_core/invhrss701/simpler).