Merge pull request #578 from PQClean/sw-hqc-patch

Author: thomwiggers

SECURITY.md

@@ -29,6 +29,10 @@ Reported vulnerabilities in the **Historic Issues** section have become irreleva
 
 ## Resolved Issues
 
+### 2024-12-11
+* HQC decapsulation mishandled the secret key and, when given a malformed ciphertext, returned an incorrect shared secret.
+  [PR #578](https://github.com/PQClean/PQClean/pull/578) addressed this.
+
 ### 2024-06-11
 * Kyber used a conditional move that resulted in branch instructions leaking side-channel information for certain compilers.
   [PR #558](https://github.com/PQClean/PQClean/pull/558) addressed this for the `clean` and `avx2` implementations.

crypto_kem/hqc-128/META.yml

@@ -25,4 +25,4 @@ principal-submitters:
   - Gilles Zémor
 implementations:
     - name: clean
-      version: hqc-submission_2023-04-30 via https://github.com/SWilson4/package-pqclean/tree/8db1b24b/hqc
+      version: hqc-submission_2023-04-30 via https://github.com/SWilson4/package-pqclean/tree/9b509aa7/hqc

crypto_kem/hqc-128/clean/api.h

@@ -23,4 +23,5 @@ int PQCLEAN_HQC128_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t
 
 int PQCLEAN_HQC128_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
+
 #endif

crypto_kem/hqc-128/clean/code.c

@@ -8,6 +8,8 @@
  * @brief Implementation of concatenated code
  */
 
+
+
 /**
  *
  * @brief Encoding the message m to a code word em using the concatenated code
@@ -26,6 +28,8 @@ void PQCLEAN_HQC128_CLEAN_code_encode(uint64_t *em, const uint8_t *m) {
 
 }
 
+
+
 /**
  * @brief Decoding the code word em to a message m using the concatenated code
  *
@@ -38,4 +42,5 @@ void PQCLEAN_HQC128_CLEAN_code_decode(uint8_t *m, const uint64_t *em) {
     PQCLEAN_HQC128_CLEAN_reed_muller_decode(tmp, em);
     PQCLEAN_HQC128_CLEAN_reed_solomon_decode(m, tmp);
 
+
 }

crypto_kem/hqc-128/clean/code.h

@@ -1,6 +1,7 @@
 #ifndef CODE_H
 #define CODE_H
 
+
 /**
  * @file code.h
  * @brief Header file of code.c
@@ -12,4 +13,5 @@ void PQCLEAN_HQC128_CLEAN_code_encode(uint64_t *em, const uint8_t *message);
 
 void PQCLEAN_HQC128_CLEAN_code_decode(uint8_t *m, const uint64_t *em);
 
+
 #endif

crypto_kem/hqc-128/clean/domains.h

@@ -1,11 +1,13 @@
 #ifndef DOMAINS_H
 #define DOMAINS_H
 
+
 /**
  * @file domains.h
  * @brief SHAKE-256 domains separation header grouping all domains to avoid collisions
  */
 
+
 #define PRNG_DOMAIN 1
 #define SEEDEXPANDER_DOMAIN 2
 #define G_FCT_DOMAIN 3

crypto_kem/hqc-128/clean/fft.c

@@ -14,6 +14,7 @@
  * https://binary.cr.yp.to/mcbits-20130616.pdf
  */
 
+
 static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f);
 
 /**
@@ -28,6 +29,8 @@ static void compute_fft_betas(uint16_t *betas) {
     }
 }
 
+
+
 /**
  * @brief Computes the subset sums of the given set
  *
@@ -49,6 +52,8 @@ static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint
     }
 }
 
+
+
 /**
  * @brief Computes the radix conversion of a polynomial f in GF(2^m)[x]
  *
@@ -143,6 +148,8 @@ static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_
     memcpy(f1 + n, Q1, 2 * n);
 }
 
+
+
 /**
  * @brief Evaluates f at all subset sums of a given set
  *
@@ -236,6 +243,8 @@ static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32
     }
 }
 
+
+
 /**
  * @brief Evaluates f on all fields elements using an additive FFT algorithm
  *
@@ -305,6 +314,8 @@ void PQCLEAN_HQC128_CLEAN_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs) {
     }
 }
 
+
+
 /**
  * @brief Retrieves the error polynomial error from the evaluations w of the ELP (Error Locator Polynomial) on all field elements.
  *

crypto_kem/hqc-128/clean/fft.h

@@ -1,6 +1,7 @@
 #ifndef FFT_H
 #define FFT_H
 
+
 /**
  * @file fft.h
  * @brief Header file of fft.c
@@ -13,4 +14,5 @@ void PQCLEAN_HQC128_CLEAN_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs);
 
 void PQCLEAN_HQC128_CLEAN_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w);
 
+
 #endif

crypto_kem/hqc-128/clean/gf.c

@@ -7,6 +7,7 @@
  * @brief Galois field implementation
  */
 
+
 /**
  * @brief Computes the number of trailing zero bits.
  *
@@ -23,6 +24,8 @@ static uint16_t trailing_zero_bits_count(uint16_t a) {
     return tmp;
 }
 
+
+
 /**
  * Reduces polynomial x modulo primitive polynomial GF_POLY.
  * @returns x mod GF_POLY
@@ -57,6 +60,8 @@ static uint16_t gf_reduce(uint64_t x, size_t deg_x) {
     return (uint16_t)x;
 }
 
+
+
 /**
  * Carryless multiplication of two polynomials a and b.
  *
@@ -105,6 +110,8 @@ static void gf_carryless_mul(uint8_t c[2], uint8_t a, uint8_t b) {
     c[1] = (uint8_t)h;
 }
 
+
+
 /**
  * Multiplies two elements of GF(2^GF_M).
  * @returns the product a*b
@@ -118,6 +125,8 @@ uint16_t PQCLEAN_HQC128_CLEAN_gf_mul(uint16_t a, uint16_t b) {
     return gf_reduce(tmp, 2 * (PARAM_M - 1));
 }
 
+
+
 /**
  * @brief Squares an element of GF(2^PARAM_M).
  * @returns a^2
@@ -134,6 +143,8 @@ uint16_t PQCLEAN_HQC128_CLEAN_gf_square(uint16_t a) {
     return gf_reduce(s, 2 * (PARAM_M - 1));
 }
 
+
+
 /**
  * @brief Computes the inverse of an element of GF(2^PARAM_M),
  * using the addition chain 1 2 3 4 7 11 15 30 60 120 127 254

crypto_kem/hqc-128/clean/gf.h

@@ -1,30 +1,37 @@
 #ifndef GF_H
 #define GF_H
 
+
 /**
  * @file gf.h
  * @brief Header file of gf.c
  */
 
 #include <stdint.h>
 
+
 /**
  * Powers of the root alpha of 1 + x^2 + x^3 + x^4 + x^8.
  * The last two elements are needed by the PQCLEAN_HQC128_CLEAN_gf_mul function
  * (for example if both elements to multiply are zero).
  */
 static const uint16_t gf_exp [258] = { 1, 2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160, 93, 186, 105, 210, 185, 111, 222, 161, 95, 190, 97, 194, 153, 47, 94, 188, 101, 202, 137, 15, 30, 60, 120, 240, 253, 231, 211, 187, 107, 214, 177, 127, 254, 225, 223, 163, 91, 182, 113, 226, 217, 175, 67, 134, 17, 34, 68, 136, 13, 26, 52, 104, 208, 189, 103, 206, 129, 31, 62, 124, 248, 237, 199, 147, 59, 118, 236, 197, 151, 51, 102, 204, 133, 23, 46, 92, 184, 109, 218, 169, 79, 158, 33, 66, 132, 21, 42, 84, 168, 77, 154, 41, 82, 164, 85, 170, 73, 146, 57, 114, 228, 213, 183, 115, 230, 209, 191, 99, 198, 145, 63, 126, 252, 229, 215, 179, 123, 246, 241, 255, 227, 219, 171, 75, 150, 49, 98, 196, 149, 55, 110, 220, 165, 87, 174, 65, 130, 25, 50, 100, 200, 141, 7, 14, 28, 56, 112, 224, 221, 167, 83, 166, 81, 162, 89, 178, 121, 242, 249, 239, 195, 155, 43, 86, 172, 69, 138, 9, 18, 36, 72, 144, 61, 122, 244, 245, 247, 243, 251, 235, 203, 139, 11, 22, 44, 88, 176, 125, 250, 233, 207, 131, 27, 54, 108, 216, 173, 71, 142, 1, 2, 4 };
 
+
+
 /**
  * Logarithm of elements of GF(2^8) to the base alpha (root of 1 + x^2 + x^3 + x^4 + x^8).
  * The logarithm of 0 is set to 0 by convention.
  */
 static const uint16_t gf_log [256] = { 0, 0, 1, 25, 2, 50, 26, 198, 3, 223, 51, 238, 27, 104, 199, 75, 4, 100, 224, 14, 52, 141, 239, 129, 28, 193, 105, 248, 200, 8, 76, 113, 5, 138, 101, 47, 225, 36, 15, 33, 53, 147, 142, 218, 240, 18, 130, 69, 29, 181, 194, 125, 106, 39, 249, 185, 201, 154, 9, 120, 77, 228, 114, 166, 6, 191, 139, 98, 102, 221, 48, 253, 226, 152, 37, 179, 16, 145, 34, 136, 54, 208, 148, 206, 143, 150, 219, 189, 241, 210, 19, 92, 131, 56, 70, 64, 30, 66, 182, 163, 195, 72, 126, 110, 107, 58, 40, 84, 250, 133, 186, 61, 202, 94, 155, 159, 10, 21, 121, 43, 78, 212, 229, 172, 115, 243, 167, 87, 7, 112, 192, 247, 140, 128, 99, 13, 103, 74, 222, 237, 49, 197, 254, 24, 227, 165, 153, 119, 38, 184, 180, 124, 17, 68, 146, 217, 35, 32, 137, 46, 55, 63, 209, 91, 149, 188, 207, 205, 144, 135, 151, 178, 220, 252, 190, 97, 242, 86, 211, 171, 20, 42, 93, 158, 132, 60, 57, 83, 71, 109, 65, 162, 31, 45, 67, 216, 183, 123, 164, 118, 196, 23, 73, 236, 127, 12, 111, 246, 108, 161, 59, 82, 41, 157, 85, 170, 251, 96, 134, 177, 187, 204, 62, 90, 203, 89, 95, 176, 156, 169, 160, 81, 11, 245, 22, 235, 122, 117, 44, 215, 79, 174, 213, 233, 230, 231, 173, 232, 116, 214, 244, 234, 168, 80, 88, 175 };
 
+
+
 uint16_t PQCLEAN_HQC128_CLEAN_gf_mul(uint16_t a, uint16_t b);
 
 uint16_t PQCLEAN_HQC128_CLEAN_gf_square(uint16_t a);
 
 uint16_t PQCLEAN_HQC128_CLEAN_gf_inverse(uint16_t a);
 
+
 #endif