Do you also sort in constant time at fixed array size, like djbsort claims it does?

For the 1024 array their cycle count quartiles differ from the median at the 3 promille level, but I don't know if this counts as "constant" for timing attack purposes.

Hmm, interesting question. Radix sorts, by their nature, execute the same code regardless of the contents of their elements. ( I think, I haven't thought about this before). However you will see some variation in execution time based on varying memory access patterns.

No, it's not constant time. Depending on implementation details, you end up putting different elements in different buckets in different cache lines and that creates side channels.

Radix sort will perform differently for an input that is 1,1,1,... and 1,2,3,...,n.

I have not read up on how djbsort deals with this issue, but it's the problem it's trying to solve.

It's a sorting network, which means it only uses conditional swaps in a fixed pattern, which can be made constant time.

My single-threaded floating point sort is also twice as fast as djbsort:

http://stereopsis.com/radix.html

This one uses 11-bit radix to save memory bandwidth. Without all the floating-point stuff it would be faster.

The point of djbsort is to be constant time while not being super slow.

Of course a fast directly implemented radix sort will be faster, especially if you sprinkle SIMD on top.

Actually, there is only an advantage to radix after 100,000 elements - djb is much faster for small arrays. Also, while radix is cpu constant time, you'd need to do some kind of secure shuffle in advance to make it truly constant-time (considering memory locality timing).