https://gcc.gnu.org/bugzilla/show_bug.cgi?id=123787
--- Comment #2 from Thomas Bellebaum <thomas.bellebaum at aisec dot fraunhofer.de> --- Hi Jakub, no arguing that clang's inlining of the entire routine without any loops is suboptimal. They also have an open issue about that. Also no arguing that division and modulo are not constant time, but the cryptographer in me didn't even expect that (since on my machine, even the corresponding machine instruction takes a variable amount of cycles), so this is unlikely to ever make it into a cryptographic scheme designed for safety and ease of implementability. Multiplication is different however (on most platforms at least). The `_BitInt(257)` approach is very interesting, but an unintuitive workaround and ultimately feel like gaming compiler optimizations, which cryptographic code should avoid. For instance, will this keep working in the future if the compiler realizes that only 256 bits of the output are ever used, or will the compiler then take the reasonable shortcut of pruning the (assume unsigned) operands to 256 bits each before calling `__mulbitint3`? A bit of background: As a researcher, my main motivation for working with these large numbers multiplications was that they are much simpler and more intuitive to implement in a safe way than in, say, prime number or galois fields. Thus I am trying to design schemes around them, assuming that (natural) implementations by other people would be more likely to be safe. But then I realized that C provides a very easy (and thus natural) way of using bigints and their multiplication, so I checked and found that GCC defied my expectations.
