Summary
crypto_kem/hqc-128/clean/gf2x.c — function base_mul — compiles to a secret-dependent branch chain under every released version of clang from 14.0.6 (June 2022) through 22.1.2 (March 2026), on both Linux and Windows x86-64, at -O2 and -O3.
The source code is correctly written using branchless mask construction. The vulnerability is introduced at compile time by the LLVM x86-cmov-converter pass, which pattern-matches the safe select IR into a cmp/jne chain over the secret nibble of operand a.
Impact
dudect confirms the leak: unpatched clang-19 -O3 yields max-t > 1000 across multiple fixed secrets (threshold for "definitely not constant time" is t > 10). A per-nibble timing oracle confirms nibbles 1–15 all leak; nibble 0 is safe (processed by a different code path using cmove).
GCC is not affected. Apple Silicon (arm64) is not affected.
Fix
A single build flag eliminates the vulnerability across all 20 testedcompiler/platform/optimisation combinations:
-mllvm -x86-cmov-converter=false
This flag also makes the binary 3.07× faster than the unpatched versionbecause the cmov-converter was causing branch mispredictions on unpredictable secret data.
Evidence
Full empirical study (9 clang versions, Linux + Windows, assembly inspection + dudect + per-nibble oracle):
Paper: preprint forthcoming on ePrint
Artifacts: https://github.com/BAder82t/kem-cct-matrix
Suggested action
Add -mllvm -x86-cmov-converter=false to the clang CFLAGS for HQC in
liboqs's CMake build, guarded by a clang-on-x86 check. No source code
changes required.
Summary
crypto_kem/hqc-128/clean/gf2x.c — function base_mul — compiles to a secret-dependent branch chain under every released version of clang from 14.0.6 (June 2022) through 22.1.2 (March 2026), on both Linux and Windows x86-64, at -O2 and -O3.
The source code is correctly written using branchless mask construction. The vulnerability is introduced at compile time by the LLVM x86-cmov-converter pass, which pattern-matches the safe select IR into a cmp/jne chain over the secret nibble of operand a.
Impact
dudect confirms the leak: unpatched clang-19 -O3 yields max-t > 1000 across multiple fixed secrets (threshold for "definitely not constant time" is t > 10). A per-nibble timing oracle confirms nibbles 1–15 all leak; nibble 0 is safe (processed by a different code path using cmove).
GCC is not affected. Apple Silicon (arm64) is not affected.
Fix
A single build flag eliminates the vulnerability across all 20 testedcompiler/platform/optimisation combinations:
-mllvm -x86-cmov-converter=false
This flag also makes the binary 3.07× faster than the unpatched versionbecause the cmov-converter was causing branch mispredictions on unpredictable secret data.
Evidence
Full empirical study (9 clang versions, Linux + Windows, assembly inspection + dudect + per-nibble oracle):
Paper: preprint forthcoming on ePrint
Artifacts: https://github.com/BAder82t/kem-cct-matrix
Suggested action
Add
-mllvm -x86-cmov-converter=falseto the clang CFLAGS for HQC inliboqs's CMake build, guarded by a clang-on-x86 check. No source code
changes required.