From 78585b12ba396b93664dcb94ab18d8238b085b76 Mon Sep 17 00:00:00 2001
From: Basil Hess <bhe@zurich.ibm.com>
Date: Mon, 26 Aug 2024 18:05:48 +0200
Subject: [PATCH] pull update from upstream

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
---
 docs/algorithms/kem/ml_kem.md                    |  2 +-
 docs/algorithms/kem/ml_kem.yml                   |  2 +-
 docs/cbom.json                                   | 16 ++++++++--------
 .../copy_from_upstream/copy_from_upstream.yml    |  4 ++--
 .../kem.c                                        |  4 +---
 .../verify.c                                     | 10 ++++++++++
 .../kem.c                                        |  4 +---
 .../poly.c                                       |  2 +-
 .../polyvec.c                                    |  1 -
 .../verify.c                                     | 10 ++++++++++
 .../kem.c                                        |  4 +---
 .../verify.c                                     | 10 ++++++++++
 .../kem.c                                        |  4 +---
 .../poly.c                                       |  2 +-
 .../polyvec.c                                    |  1 -
 .../verify.c                                     | 10 ++++++++++
 .../kem.c                                        |  4 +---
 .../verify.c                                     | 10 ++++++++++
 .../kem.c                                        |  4 +---
 .../poly.c                                       |  2 +-
 .../polyvec.c                                    |  1 -
 .../verify.c                                     | 10 ++++++++++
 22 files changed, 81 insertions(+), 36 deletions(-)

diff --git a/docs/algorithms/kem/ml_kem.md b/docs/algorithms/kem/ml_kem.md
index 6b211ff560..d1806517ba 100644
--- a/docs/algorithms/kem/ml_kem.md
+++ b/docs/algorithms/kem/ml_kem.md
@@ -7,7 +7,7 @@
 - **Authors' website**: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203
 - **Specification version**: ML-KEM.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/pq-crystals/kyber/commit/3c874cddd5fdaf4a7bd13f7e2e4d98a2a1eb8dc4 with copy_from_upstream patches
+  - **Source**: https://github.com/pq-crystals/kyber/commit/10b478fc3cc4ff6215eb0b6a11bd758bf0929cbd with copy_from_upstream patches
   - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
 
 
diff --git a/docs/algorithms/kem/ml_kem.yml b/docs/algorithms/kem/ml_kem.yml
index e9708ce753..81ef2b6c4a 100644
--- a/docs/algorithms/kem/ml_kem.yml
+++ b/docs/algorithms/kem/ml_kem.yml
@@ -17,7 +17,7 @@ website: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203
 nist-round: FIPS203
 spec-version: ML-KEM
 primary-upstream:
-  source: https://github.com/pq-crystals/kyber/commit/3c874cddd5fdaf4a7bd13f7e2e4d98a2a1eb8dc4
+  source: https://github.com/pq-crystals/kyber/commit/10b478fc3cc4ff6215eb0b6a11bd758bf0929cbd
     with copy_from_upstream patches
   spdx-license-identifier: CC0-1.0 or Apache-2.0
 parameter-sets:
diff --git a/docs/cbom.json b/docs/cbom.json
index 386baf184f..2fab7718a6 100644
--- a/docs/cbom.json
+++ b/docs/cbom.json
@@ -1,23 +1,23 @@
 {
   "bomFormat": "CBOM",
   "specVersion": "1.4-cbom-1.0",
-  "serialNumber": "urn:uuid:58a975ac-ea6b-4ce9-a5ae-80d35105db30",
+  "serialNumber": "urn:uuid:b953d460-1246-4cbb-aff9-642a0308d18b",
   "version": 1,
   "metadata": {
-    "timestamp": "2024-04-09T21:46:17.101849",
+    "timestamp": "2024-08-26T18:04:44.668645",
     "component": {
       "type": "library",
-      "bom-ref": "pkg:github/open-quantum-safe/liboqs@2fd65d9ec99a2608149713e5fcaeb9b6402e5872",
+      "bom-ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
       "name": "liboqs",
-      "version": "2fd65d9ec99a2608149713e5fcaeb9b6402e5872"
+      "version": "062e793edf54cbc1073b54d0689795063fd41910"
     }
   },
   "components": [
     {
       "type": "library",
-      "bom-ref": "pkg:github/open-quantum-safe/liboqs@2fd65d9ec99a2608149713e5fcaeb9b6402e5872",
+      "bom-ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
       "name": "liboqs",
-      "version": "2fd65d9ec99a2608149713e5fcaeb9b6402e5872"
+      "version": "062e793edf54cbc1073b54d0689795063fd41910"
     },
     {
       "type": "crypto-asset",
@@ -2408,7 +2408,7 @@
   ],
   "dependencies": [
     {
-      "ref": "pkg:github/open-quantum-safe/liboqs@ca5d956097e10672aaa9bb7994057bcc58291b65",
+      "ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
       "dependsOn": [
         "alg:BIKE-L1:x86_64",
         "alg:BIKE-L3:x86_64",
@@ -3284,4 +3284,4 @@
       "dependencyType": "uses"
     }
   ]
-}
+}
\ No newline at end of file
diff --git a/scripts/copy_from_upstream/copy_from_upstream.yml b/scripts/copy_from_upstream/copy_from_upstream.yml
index 2b162f9396..216a99ae10 100644
--- a/scripts/copy_from_upstream/copy_from_upstream.yml
+++ b/scripts/copy_from_upstream/copy_from_upstream.yml
@@ -32,8 +32,8 @@ upstreams:
   -
     name: pqcrystals-kyber-standard
     git_url: https://github.com/pq-crystals/kyber.git
-    git_branch: standard
-    git_commit: 3c874cddd5fdaf4a7bd13f7e2e4d98a2a1eb8dc4
+    git_branch: main
+    git_commit: 10b478fc3cc4ff6215eb0b6a11bd758bf0929cbd
     kem_meta_path: '{pretty_name_full}_META.yml'
     kem_scheme_path: '.'
     patches: [pqcrystals-ml_kem.patch]
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_avx2/kem.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_avx2/kem.c
index d856efee99..63abc1029c 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_avx2/kem.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_avx2/kem.c
@@ -78,7 +78,7 @@ int crypto_kem_enc_derand(uint8_t *ct,
                           const uint8_t *pk,
                           const uint8_t *coins)
 {
-  uint8_t buf[2*KYBER_SYMBYTES+1];
+  uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
@@ -86,8 +86,6 @@ int crypto_kem_enc_derand(uint8_t *ct,
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Add byte separating Kyber parameter sets */
-  buf[2*KYBER_SYMBYTES] = KYBER_K;
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_avx2/verify.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_avx2/verify.c
index aa8e2850b1..06243b837f 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_avx2/verify.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_avx2/verify.c
@@ -57,6 +57,16 @@ void cmov(uint8_t * restrict r, const uint8_t *x, size_t len, uint8_t b)
   size_t i;
   __m256i xvec, rvec, bvec;
 
+#if defined(__GNUC__) || defined(__clang__)
+  // Prevent the compiler from
+  //    1) inferring that b is 0/1-valued, and
+  //    2) handling the two cases with a branch.
+  // This is not necessary when verify.c and kem.c are separate translation
+  // units, but we expect that downstream consumers will copy this code and/or
+  // change how it is built.
+  __asm__("" : "+r"(b) : /* no inputs */);
+#endif
+
   bvec = _mm256_set1_epi64x(-(uint64_t)b);
   for(i=0;i<len/32;i++) {
     rvec = _mm256_loadu_si256((__m256i *)&r[32*i]);
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/kem.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/kem.c
index d856efee99..63abc1029c 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/kem.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/kem.c
@@ -78,7 +78,7 @@ int crypto_kem_enc_derand(uint8_t *ct,
                           const uint8_t *pk,
                           const uint8_t *coins)
 {
-  uint8_t buf[2*KYBER_SYMBYTES+1];
+  uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
@@ -86,8 +86,6 @@ int crypto_kem_enc_derand(uint8_t *ct,
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Add byte separating Kyber parameter sets */
-  buf[2*KYBER_SYMBYTES] = KYBER_K;
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/poly.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/poly.c
index 7bf7ad536f..cbd3abfb54 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/poly.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/poly.c
@@ -19,7 +19,7 @@
 void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a)
 {
   unsigned int i,j;
-  int32_t u;
+  int16_t u;
   uint32_t d0;
   uint8_t t[8];
 
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/polyvec.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/polyvec.c
index 661c71ec32..669f6a5f1d 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/polyvec.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/polyvec.c
@@ -31,7 +31,6 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a)
         d0 *= 645084;
         d0 >>= 31;
         t[k] = d0 & 0x7ff;
-
       }
 
       r[ 0] = (t[0] >>  0);
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/verify.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/verify.c
index aad03b0297..914ccd448f 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/verify.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-1024_ref/verify.c
@@ -41,6 +41,16 @@ void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b)
 {
   size_t i;
 
+#if defined(__GNUC__) || defined(__clang__)
+  // Prevent the compiler from
+  //    1) inferring that b is 0/1-valued, and
+  //    2) handling the two cases with a branch.
+  // This is not necessary when verify.c and kem.c are separate translation
+  // units, but we expect that downstream consumers will copy this code and/or
+  // change how it is built.
+  __asm__("" : "+r"(b) : /* no inputs */);
+#endif
+
   b = -b;
   for(i=0;i<len;i++)
     r[i] ^= b & (r[i] ^ x[i]);
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_avx2/kem.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_avx2/kem.c
index d856efee99..63abc1029c 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_avx2/kem.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_avx2/kem.c
@@ -78,7 +78,7 @@ int crypto_kem_enc_derand(uint8_t *ct,
                           const uint8_t *pk,
                           const uint8_t *coins)
 {
-  uint8_t buf[2*KYBER_SYMBYTES+1];
+  uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
@@ -86,8 +86,6 @@ int crypto_kem_enc_derand(uint8_t *ct,
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Add byte separating Kyber parameter sets */
-  buf[2*KYBER_SYMBYTES] = KYBER_K;
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_avx2/verify.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_avx2/verify.c
index aa8e2850b1..06243b837f 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_avx2/verify.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_avx2/verify.c
@@ -57,6 +57,16 @@ void cmov(uint8_t * restrict r, const uint8_t *x, size_t len, uint8_t b)
   size_t i;
   __m256i xvec, rvec, bvec;
 
+#if defined(__GNUC__) || defined(__clang__)
+  // Prevent the compiler from
+  //    1) inferring that b is 0/1-valued, and
+  //    2) handling the two cases with a branch.
+  // This is not necessary when verify.c and kem.c are separate translation
+  // units, but we expect that downstream consumers will copy this code and/or
+  // change how it is built.
+  __asm__("" : "+r"(b) : /* no inputs */);
+#endif
+
   bvec = _mm256_set1_epi64x(-(uint64_t)b);
   for(i=0;i<len/32;i++) {
     rvec = _mm256_loadu_si256((__m256i *)&r[32*i]);
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/kem.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/kem.c
index d856efee99..63abc1029c 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/kem.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/kem.c
@@ -78,7 +78,7 @@ int crypto_kem_enc_derand(uint8_t *ct,
                           const uint8_t *pk,
                           const uint8_t *coins)
 {
-  uint8_t buf[2*KYBER_SYMBYTES+1];
+  uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
@@ -86,8 +86,6 @@ int crypto_kem_enc_derand(uint8_t *ct,
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Add byte separating Kyber parameter sets */
-  buf[2*KYBER_SYMBYTES] = KYBER_K;
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/poly.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/poly.c
index 7bf7ad536f..cbd3abfb54 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/poly.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/poly.c
@@ -19,7 +19,7 @@
 void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a)
 {
   unsigned int i,j;
-  int32_t u;
+  int16_t u;
   uint32_t d0;
   uint8_t t[8];
 
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/polyvec.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/polyvec.c
index 661c71ec32..669f6a5f1d 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/polyvec.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/polyvec.c
@@ -31,7 +31,6 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a)
         d0 *= 645084;
         d0 >>= 31;
         t[k] = d0 & 0x7ff;
-
       }
 
       r[ 0] = (t[0] >>  0);
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/verify.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/verify.c
index aad03b0297..914ccd448f 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/verify.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-512_ref/verify.c
@@ -41,6 +41,16 @@ void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b)
 {
   size_t i;
 
+#if defined(__GNUC__) || defined(__clang__)
+  // Prevent the compiler from
+  //    1) inferring that b is 0/1-valued, and
+  //    2) handling the two cases with a branch.
+  // This is not necessary when verify.c and kem.c are separate translation
+  // units, but we expect that downstream consumers will copy this code and/or
+  // change how it is built.
+  __asm__("" : "+r"(b) : /* no inputs */);
+#endif
+
   b = -b;
   for(i=0;i<len;i++)
     r[i] ^= b & (r[i] ^ x[i]);
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_avx2/kem.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_avx2/kem.c
index d856efee99..63abc1029c 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_avx2/kem.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_avx2/kem.c
@@ -78,7 +78,7 @@ int crypto_kem_enc_derand(uint8_t *ct,
                           const uint8_t *pk,
                           const uint8_t *coins)
 {
-  uint8_t buf[2*KYBER_SYMBYTES+1];
+  uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
@@ -86,8 +86,6 @@ int crypto_kem_enc_derand(uint8_t *ct,
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Add byte separating Kyber parameter sets */
-  buf[2*KYBER_SYMBYTES] = KYBER_K;
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_avx2/verify.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_avx2/verify.c
index aa8e2850b1..06243b837f 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_avx2/verify.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_avx2/verify.c
@@ -57,6 +57,16 @@ void cmov(uint8_t * restrict r, const uint8_t *x, size_t len, uint8_t b)
   size_t i;
   __m256i xvec, rvec, bvec;
 
+#if defined(__GNUC__) || defined(__clang__)
+  // Prevent the compiler from
+  //    1) inferring that b is 0/1-valued, and
+  //    2) handling the two cases with a branch.
+  // This is not necessary when verify.c and kem.c are separate translation
+  // units, but we expect that downstream consumers will copy this code and/or
+  // change how it is built.
+  __asm__("" : "+r"(b) : /* no inputs */);
+#endif
+
   bvec = _mm256_set1_epi64x(-(uint64_t)b);
   for(i=0;i<len/32;i++) {
     rvec = _mm256_loadu_si256((__m256i *)&r[32*i]);
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/kem.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/kem.c
index d856efee99..63abc1029c 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/kem.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/kem.c
@@ -78,7 +78,7 @@ int crypto_kem_enc_derand(uint8_t *ct,
                           const uint8_t *pk,
                           const uint8_t *coins)
 {
-  uint8_t buf[2*KYBER_SYMBYTES+1];
+  uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
@@ -86,8 +86,6 @@ int crypto_kem_enc_derand(uint8_t *ct,
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Add byte separating Kyber parameter sets */
-  buf[2*KYBER_SYMBYTES] = KYBER_K;
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/poly.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/poly.c
index 7bf7ad536f..cbd3abfb54 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/poly.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/poly.c
@@ -19,7 +19,7 @@
 void poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a)
 {
   unsigned int i,j;
-  int32_t u;
+  int16_t u;
   uint32_t d0;
   uint8_t t[8];
 
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/polyvec.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/polyvec.c
index 661c71ec32..669f6a5f1d 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/polyvec.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/polyvec.c
@@ -31,7 +31,6 @@ void polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a)
         d0 *= 645084;
         d0 >>= 31;
         t[k] = d0 & 0x7ff;
-
       }
 
       r[ 0] = (t[0] >>  0);
diff --git a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/verify.c b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/verify.c
index aad03b0297..914ccd448f 100644
--- a/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/verify.c
+++ b/src/kem/ml_kem/pqcrystals-kyber-standard_ml-kem-768_ref/verify.c
@@ -41,6 +41,16 @@ void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b)
 {
   size_t i;
 
+#if defined(__GNUC__) || defined(__clang__)
+  // Prevent the compiler from
+  //    1) inferring that b is 0/1-valued, and
+  //    2) handling the two cases with a branch.
+  // This is not necessary when verify.c and kem.c are separate translation
+  // units, but we expect that downstream consumers will copy this code and/or
+  // change how it is built.
+  __asm__("" : "+r"(b) : /* no inputs */);
+#endif
+
   b = -b;
   for(i=0;i<len;i++)
     r[i] ^= b & (r[i] ^ x[i]);