write in constant-time

[jacksonwalters]

Typically, the big issue when trying to make code like yours constant time is the modular reduction x -> x mod q. This can be fixed by using something like Barrett reduction, see for example https://words.filippo.io/dispatches/kyber-math/

As written, the code is not constant-time and vulnerable to timing attacks.

https://research.redhat.com/blog/article/the-need-for-constant-time-cryptography/

[jacksonwalters]

Here is an implementation of GF(p^2) in constant time: https://github.com/GiacomoPope/fp2-rs

[jacksonwalters]

It probably makes the most sense to start with Barrett or Montgomery reduction for reducing mod q in constant time.