Mitigate kyberslash with official patching method from pq-crystals/kyber

[JosePisco]

Hello everyone,

I suggest this diff against master to patch non-constant time division revealed by DJB through KyberSlash (https://kyberslash.cr.yp.to/).

For the sake of correctness, the changes proposed here are as close as possible to the official patch in https://github.com/pq-crystals/kyber/pull/69.

While aware of a patched version available at https://github.com/bwesterb/argyle-kyber/commit/b5c6ad13f4eece80e59c6ebeafd787ba1519f5f6, their fix does not exactly match the values from the authors' patch.

Cheers,

[tarcieri]

Note: closes #108

There's a branch here that also mitigates it, and includes some descriptive comments about how the approach works: https://github.com/bwesterb/argyle-kyber/commit/b5c6ad13f4eece80e59c6ebeafd787ba1519f5f6

[JosePisco]

Note: closes #108

There's a branch here that also mitigates it, and includes some descriptive comments about how the approach works: bwesterb@b5c6ad1

This is right but as mentioned above, bwesterb's change uses different magic values as the ones used by the authors to patch this. While we can easily find approximate linear relations between the two sets of values, I believe this is for the best to align with pq-crystals/kyber as the reference. On another hand, it doesn't appear that bwesterb's fork wants to merge its fix into this repository; I believe they would have done it by now, wouldn't they ?

[JosePisco]

Hey @mberry , it's been a few weeks since I opened this PR and I wanted to call for an update. Is the repository still maintained ? I hope you don't mind the ping, just looking forward to know if it's going to be resolved.

Cheers