liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms.
Impact
Multiple secret-dependent branches have been identified in the reference implementation of the HQC key encapsulation mechanism when it is compiled with Clang for optimization levels above -O0 (-O1, -O2, etc).
A proof-of-concept local attack exploits this secret-dependent information to recover the entire secret key.
Patches
Fixed in liboqs version 0.14.0 and main branch with commit 4215362.
The vulnerability has been reported to the maintainers of the HQC reference implementation.
Credits
The vulnerability was reported by Zhenzhi Lai and Zhiyuan Zhang from the University of Melbourne and the Max Planck Institute for Security and Privacy.
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms.
Impact
Multiple secret-dependent branches have been identified in the reference implementation of the HQC key encapsulation mechanism when it is compiled with Clang for optimization levels above -O0 (-O1, -O2, etc).
A proof-of-concept local attack exploits this secret-dependent information to recover the entire secret key.
Patches
Fixed in liboqs version 0.14.0 and main branch with commit 4215362.
The vulnerability has been reported to the maintainers of the HQC reference implementation.
Credits
The vulnerability was reported by Zhenzhi Lai and Zhiyuan Zhang from the University of Melbourne and the Max Planck Institute for Security and Privacy.