OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-03 10:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

oqs: PQC signature scheme Rainbow level I parameterset broken (#1337)

Browse Source
This commit is contained in:
Thom Wiggers
2022-08-11 15:54:17 +02:00
committed by GitHub
parent cc8e02bc30
commit e6ddcfcd98
1 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
crates/oqs/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,29 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "oqs"
date = "2022-02-25"
url = "https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/KFgw5_qCXiI?pli=1"
categories = ["crypto-failure"]
# affected enum variants ([affected.functions] requires functions)
#"oqs::sig::Algorithm::RainbowIaClassic" = ["< 0.5.0, >= 0.2.0"]
#"oqs::sig::Algorithm::RainbowIaCyclic" = ["< 0.5.0, >= 0.2.0"]
#"oqs::sig::Algorithm::RainbowIaCyclicCompressed" = ["< 0.5.0, >= 0.2.0"]
#"oqs::sig::Algorithm::RainbowIClassic" = ["< 0.7.2, >= 0.5.0"]
#"oqs::sig::Algorithm::RainbowICircumzenithal" = ["< 0.7.2, >= 0.5.0"]
#"oqs::sig::Algorithm::RainbowICompressed" = ["< 0.7.2, >= 0.5.0"]
# Versions which include fixes for this vulnerability (mandatory)
[versions]
patched = [">= 0.7.2"]
```
# Post-Quantum Signature scheme Rainbow level I parametersets broken
Ward Beullens found a practical key-recovery attack against Rainbow.
The level I parametersets are removed from liboqs starting from version `0.7.2`.
Find the scientific details in [Breaking Rainbow Takes a Weekend on a Laptop](https://eprint.iacr.org/2022/214).
This means all the `oqs::sig::Algorithm::RainbowI*` variants are insecure.