Actually, a timing side-channel leak on the one’s-complement add would not seriously impact the cipher I’m implementing in Rust; all that could be determined is whether two quasi-random inputs summed to ≥ 232.
That would disclose that the resultant sum was not
0xffff_ffff, which is not much, particularly since the summation result is used only once before the inputs change.
A much more severe side-channel leak exists in the hardware implementation of the integer multiply primitive on many processors, including ARM and Power. For those architectures, when one of the multiplicands has low Hamming weight the hardware uses a simplified algorithm, thus providing observable timing variances. Fortunately that side-channel leak provides no useful attack against the cipher I’m implementing in Rust, even though it uses a 32x32 -> 64 multiply.
Edits: Deleted incorrect conclusion.
0xffff_ffff is a one’s-complement minus zero, which can be added to any value other than plus zero without changing the
value binary bit pattern (due to the resulting carry-out and wrap-around carry-in).