Evaluate whether compilation introduces a secret-dependent branch

[bifurcation]

The Kyber reference implementation has a vulnerability resulting from clang introducing a secret-dependent branch. The affected function there is poly_frommsg. The analogous function in our ML-KEM implementation is Encode::<U1>::decode. We should make sure that Rust compilation does not introduce secret-dependent branches.

[bifurcation]

I mocked this up in Godbolt and on a quick skim, I don't see any branching instructions. So maybe we're OK here. Would appreciate review by someone else, though.

[tarcieri]

Perhaps the subtle or cmov crates could be helpful?