rpls
commented
11 months ago No difference between the GCC 11-13, with OPT_SIZE=1, the code uses a normal multiplication, without size optimization, the inner loop is unrolled and the multiplication implemented with rsb instructions.
This (partially) addresses https://github.com/mupq/pqm4/issues/319.
The function poly_tomsg from the reference implementation of Kyber (which was copied into the M4-optimized implementations) would result in a variable-time udiv instruction operating on secret data when compiled with gcc using -Os. I tried a couple of versions from gcc 11 to gcc 13, but did not see any difference.
This commit updates the m4-specific code to use the patch from https://github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220. Note that the code in PQClean has not yet been updated and hence the clean implementation within pqm4 is still vulnerable.