The function
int32_t fix_round(int32_t num) {
num += (num >> 31) & (-LN + 1);
num +=
LN /
2; // total \floor(LN / 2) if positive, -\floor(LN / 2) + 1 if negative
return num / LN;
}
in the HAETAE reference code is called on secret inputs and can end up
using division instructions (see, e.g.,
https://godbolt.org/z/rEEcn89x6
saying "idiv"), presumably allowing timing attacks on some platforms.
For the HAETAE integration into SUPERCOP, I'm changing this to
int32_t fix_round(int32_t num) {
return (num + LNHALF) >> LNBITS;
}
with
#define LNHALF 4096
#define LNBITS 13
in params.h. The C standard doesn't define the behavior of right shifts
on negative integers, but SUPERCOP uses the -fwrapv option for gcc and
clang, and this option guarantees twos-complement right shifts.
---D. J. Bernstein