open-quantum-safe
Known non-constant time behaviour in HQC
Our constant time test raises three issues with the "clean" implementation of the HQC code. I've reviewed these and I am of the opinion that they are true instances of non-constant time behaviour.
I've copied a description of each issue and a link to the issue file below.
Secret-dependent indexing into the "gf_exp" array in line 20 of gf.c: https://github.com/open-quantum-safe/liboqs/blob/8981b7f33749abb027e9fe907c2f0e811c5c9048/src/kem/hqc/pqclean_hqc-rmrs-128_clean/gf.c#L16-L21
hqc_vect_set_random_fixed_weight
Line 90 of vector.c reveals partial information about the location of non-zero bits in a secret fixed weight vector https://github.com/open-quantum-safe/liboqs/blob/8981b7f33749abb027e9fe907c2f0e811c5c9048/src/kem/hqc/pqclean_hqc-rmrs-128_clean/vector.c#L82-L92
The "fast_convolution_mult" routine makes secret dependent accesses to an array. It obfuscates the pattern of memory accesses by applying some permutations, but I'm not convinced that this is an adequate countermeasure. https://github.com/open-quantum-safe/liboqs/blob/8981b7f33749abb027e9fe907c2f0e811c5c9048/src/kem/hqc/pqclean_hqc-rmrs-128_clean/gf2x.c#L70
I have not. Philippe Gaborit (of the HQC team) posted to pqc-forum on Nov. 3 2020:
the reference version is not secure (and is not supposed to be), for instance it is not constant time.
So I assume they are aware of the issues.
In the same email, Philippe says that the team will fix a number of other problems that were identified by PQClean. We're still waiting on an updated code package.
Quick "sanity" question: We are holding the release of 0.7.2 on constant-time issues in Picnic -- but not on this, apparently same, issue in HQC: Intentional or omission?
