2016.12.24 13:17:00 (812633169291722752) from Daniel J. Bernstein, replying to "Thomas Pornin (@BearSSLnews)" (812335634320883713):
PowerPC CPUs typically have variable-time integer multipliers, as do some current low-end ARM CPUs. Need CPU-specific assembly. @BearSSLnews
2016.12.23 17:34:42 (812335634320883713) from "Thomas Pornin (@BearSSLnews)":
And a new 10k-word write-up on constant-time crypto (in general, and in #BearSSL in particular): https://www.bearssl.org/constanttime.html