1
1
mirror of https://github.com/henrydcase/pqc.git synced 2024-11-22 23:48:58 +00:00

Document security issues (#236)

It seems wise to include _some_ form of guidance on what we know about
problems with certain (versions of) implementations.

[ci skip]
This commit is contained in:
Thom Wiggers 2019-09-25 10:47:49 +02:00 committed by Matthias J. Kannwischer
parent dd11ffc241
commit 07543ba929

View File

@ -9,4 +9,33 @@ We recommend careful expert code review before using any of the included impleme
See also the [NIST PQC Forum][forum] for discussion about the cryptographic schemes included in PQClean. See also the [NIST PQC Forum][forum] for discussion about the cryptographic schemes included in PQClean.
## Current and past security issues
We will attempt to document security vulnerabilities made known to us on a best-effort basis.
If an issue is marked with a date, the issue has been resolved since any commits made after that date.
Again, we emphasise that the code in this repository has not seen any formal analysis or audit!
Use at your own risk.
### Open issues
* LEDAcryptKEM `leaktime` implementations are known to not be constant-time and expected to have timing side channel vulnerabilities.
<!-- new date line
### 2019-XX-XX
-->
### 2019-09-24
* All Falcon implementations before [PR #235][PR 235] got merged were insecure. See [EPRINT report 2019/893][2019/893].
### 2019-09-10
* The included incremental `sha512` implementation was calling `crypto_hashblocks_sha256` before 2019-9-10.
This lead to an insufficient security level of the results of this hash function.
The function was not used in any implementations, though.
See [PR #232][PR 232].
[2019/893]: https://eprint.iacr.org/2019/893
[forum]: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Email-List [forum]: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Email-List
[PR 232]: https://github.com/PQClean/PQClean/pull/232
[PR 235]: https://github.com/PQClean/PQClean/pull/235