Further Kyber division fixes

[dstebila]

A few more potentially non-constant-time divisions have been identified in Kyber:
pq-crystals/kyber@272125f

[dstebila]

In order to resolve this, I think we'd need to do the following two things:

• copy from upstream with the above PQ-Crystals commit to update the reference and AVX2 implementations
• add a patch à la 6982f4c to update the aarch64 implementation

Does that seem right, @SWilson4 and @praveksharma ?

[dstebila]

@baentsch What additional commit needs to be cherry-picked over to the dev-092 branch?

[baentsch]

@baentsch What additional commit needs to be cherry-picked over to the dev-092 branch?

See #1647 (comment). Looks like my thinking was wrong, not a commit missing. Go ahead with 0.9.2 and we'll decide separately whether or not it warrants an oqsprovider release (right now I tend to think it doesn't: The question basically is whether we provide oqsprovider executables containing 0.9.2 (via CI&release) or whether we let people build them themselves (i.e., not do an oqsprovider release for this).

[dstebila]

@baentsch What additional commit needs to be cherry-picked over to the dev-092 branch?

See #1647 (comment). Looks like my thinking was wrong, not a commit missing. Go ahead with 0.9.2

Thanks Michael. Okay, no cherry-picking the HQC commit over to 0.9.2.

and we'll decide separately whether or not it warrants an oqsprovider release (right now I tend to think it doesn't: The question basically is whether we provide oqsprovider executables containing 0.9.2 (via CI&release) or whether we let people build them themselves (i.e., not do an oqsprovider release for this).

Are we providing executables based on 0.9.0? Because this is a security release, I would want to discourage people from using 0.9.0, so would replace anything we're providing based on 0.9.0.

[SWilson4]

In order to resolve this, I think we'd need to do the following two things:

* copy from upstream with the above PQ-Crystals commit to update the reference and AVX2 implementations

* add a patch à la [6982f4c](https://github.com/open-quantum-safe/liboqs/commit/6982f4c28fb4cc76ad3cf033364f9f2a6cd2d6ab) to update the aarch64 implementation

Does that seem right, @SWilson4 and @praveksharma ?

Seems right to me. What would you like me (and/or @praveksharma) to take on? I'm happy to help with any stage of the release process but don't want to duplicate anything you might already have in the pipeline.

[dstebila]

Seems right to me. What would you like me (and/or @praveksharma) to take on? I'm happy to help with any stage of the release process but don't want to duplicate anything you might already have in the pipeline.

I haven't started on any of these, so if you want to do either/both, please go ahead.