Make `poly_chknorm` constant flow

[hanno-becker]

The current implementation of poly_chknorm,

  for (i = 0; i < MLDSA_N; ++i)
  {
    /* Absolute value */
    t = a->coeffs[i] >> 31;
    t = a->coeffs[i] - (t & 2 * a->coeffs[i]);

    if (t >= B)
    {
      return 1;
    }
  }

aborts upon the first entry which exceeds the given norm.

While there is a comment indicating why this does not leak anything sensitive, the input data is sensitive (from what I understand), so it seems safer to use a constant-flow implementation here.

[kallal79]

Hi, I’m Kallal Mukherjee (GitHub: 7908837174). Thanks for reviewing my pull request (#389) which aimed to address constant-time execution for polynomial norm checking — a key mitigation for timing side-channel risks (ref: #153).

I’ve already submitted my LFX mentorship application for the mldsa-native project through the LFX platform and am hopeful to contribute further with security-focused improvements, reproducible tooling, and clear onboarding.

This PR included:

Manual implementation of constant-time logic for polyvecl_chknorm and polyveck_chknorm

Loop invariant annotations for CBMC verification

DCO sign-off and reviewer-ready documentation

I completely understand the contributor policy and am happy to follow any additional steps required. Let me know if any further info would help verify my background or contributions.

Thanks again!

[kallal79]

👍 ok, Thanks for the update..

…

On Wed, 30 Jul, 2025, 15:36 Hanno Becker, ***@***.***> wrote: Closed #153 <#153> as completed via #392 <#392>. — Reply to this email directly, view it on GitHub <#153 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BLR2IINUXMQGLRVBEPX6MIT3LCKIRAVCNFSM6AAAAAB3AVLALCVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJYHA4TKNZWGIYDAOA> . You are receiving this because you commented.Message ID: ***@***.*** com>