liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms.
Impact
A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext.
No concrete attack exploiting the error has been identified at this point. However, the error involves mishandling of the secret key, and in principle this presents a security vulnerability.
Patches
Fixed in version 0.12.0 and main branch of liboqs on GitHub.
We have reported the error to the maintainers of the HQC reference implementation.
Further details
In the 2023/04/30 version of the HQC specification and reference implementation, an extra field (sigma) was added to the secret key structure to enable implicit rejection of malformed ciphertexts. The logic to retrieve the public key from the secret key in the decapsulation function was not updated accordingly. As a result, sigma is treated as part of the public key. Later in the decapsulation call, a incorrectly constructed comparison check allows this error to go through undetected. Due to how these two bugs interfere with each other, the decapsulation function never uses sigma to perform implicit rejection; instead, it accepts malformed ciphertexts and returns shared secrets based on their decryptions.
Credits
The vulnerability was identified by Célian Glénaz and Dahmun Goudarzi (Quarkslab).
iarce-qb Reporter
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms.
Impact
A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext.
No concrete attack exploiting the error has been identified at this point. However, the error involves mishandling of the secret key, and in principle this presents a security vulnerability.
Patches
Fixed in version 0.12.0 and main branch of liboqs on GitHub.
We have reported the error to the maintainers of the HQC reference implementation.
Further details
In the 2023/04/30 version of the HQC specification and reference implementation, an extra field (
sigma) was added to the secret key structure to enable implicit rejection of malformed ciphertexts. The logic to retrieve the public key from the secret key in the decapsulation function was not updated accordingly. As a result,sigmais treated as part of the public key. Later in the decapsulation call, a incorrectly constructed comparison check allows this error to go through undetected. Due to how these two bugs interfere with each other, the decapsulation function never usessigmato perform implicit rejection; instead, it accepts malformed ciphertexts and returns shared secrets based on their decryptions.Credits
The vulnerability was identified by Célian Glénaz and Dahmun Goudarzi (Quarkslab).