I think your code has similar problem as the one described by Qian Guo, Thomas Johansson, Alexander Nilsson. "A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. "
https://eprint.iacr.org/2020/743

The interesting line would be this one:

But it is intersting stuff.

Kind regards,
Kris Kwiatkowski

Thank you Kris for the review, I will be fixing this as soon as I have a couple of hours. -- Ed

@henrydcase let me know if it is OK for you, so I can close the ticket. -- Thanks

it won't help .you need something like:

a := uint16Equals(Bprime, Bprimeprime)
a &= uint16Equals(C, Cprime)

assuming uint16Equals is constant time and it returns 0 or 1 instead of bool

In go if you have ( a() && b() ) and a() returns false then b() is not called, which causes a problem here

Sorry. Yes, now it should be constant time ... I was looking at it a bit more at higher level than I should.

@henrydcase I believe last commit should fix it.

just did quick look, but indeed that looks better

Thank you @henrydcase - I will close this ticket and release v1.0.1