-rw-r--r-- 771 saferewrite-20210904/src/cmp_64xint16/README
2017.12.09 initial release of official Frodo software used memcmp():
https://github.com/microsoft/PQCrypto-LWEKE/blob/ff2bcc5e85bb6e39ec7bd96675e4643f77fb75ec/src/kem.c
2020.06.18 Guo--Johansson--Nilsson paper exploited timing variability:
https://eprint.iacr.org/2020/743
2020.06.18 official Frodo software introduced a "ct_verify" subroutine:
https://github.com/microsoft/PQCrypto-LWEKE/blob/155c24c3df47be6d5d9845fea37be110945e963c/src/util.c
2020.12.10 Saarinen pointed out that this subroutine was disastrously wrong:
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/kSUKzDNc5ME/m/EMFYz9RNCAAJ
2020.12.11 official Frodo software fixed the bug:
https://github.com/microsoft/PQCrypto-LWEKE/blob/669522db63850fa64d1a24a47e138e80a59349db/src/util.c