1
1
mirror of https://github.com/henrydcase/pqc.git synced 2024-11-22 23:48:58 +00:00
pqcrypto/SECURITY.md
Matthias J. Kannwischer 1eb8fbe8d3 FrodoKEM: Fix bug in the output of the ct_verify function (#367)
* Fix bug in the output of the ct_verify function

A bug in the CCA transformation was reported on the pqc-forum on 2020-12-10
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/kSUKzDNc5ME

It was fixed today in 669522db63.
This commit ports that fix to PQClean

* add note to SECURITY.md

* update upstream commit in META.yml
2021-03-24 21:02:50 +00:00

2.4 KiB

A note on the security of the included implementations and schemes

This project contains (reference) implementations of cryptographic libraries. We do not make any security claims about the code included in PQClean. In the current state, we distribute reference implementations with minor modifications. We did not perform any extensive security analyses. This code is suitable for experimental or scientific use. We recommend careful expert code review before using any of the included implementations in production environments.

See also the NIST PQC Forum for discussion about the cryptographic schemes included in PQClean.

Current and past security issues

We will attempt to document security vulnerabilities made known to us on a best-effort basis. If an issue is marked with a date, the issue has been resolved since any commits made after that date.

Again, we emphasise that the code in this repository has not seen any formal analysis or audit! Use at your own risk.

Open issues

  • LEDAcryptKEM leaktime implementations are known to not be constant-time and expected to have timing side channel vulnerabilities.

2020-12-11

  • The fix of the timing leak in the CCA transform of FrodoKEM in PR #303 was ineffective. The FrodoKEM team released another fix which was ported to PQClean in PR #367.

2020-06-19

2019-09-24

2019-09-10

  • The included incremental sha512 implementation was calling crypto_hashblocks_sha256 before 2019-9-10. This lead to an insufficient security level of the results of this hash function. The function was not used in any implementations, though. See PR #232.