HQC implementations don't match round 4

[celi0n]

The HQC post quantum KEM implementation in both Java and C# are not matching the reference implementation for round 4 https://pqc-hqc.org/implementation.html. A sigma variable was added on round 3 (2023/04/30) to provide explicit rejection. bouncy castle implementations instead return ss=0 when decapsulation failed

bc-java/core/src/main/java/org/bouncycastle/pqc/crypto/hqc/HQCEngine.java

Lines 266 to 273 in c349210

	if (result == 0)
	{ //abort
	for (int i = 0; i < getSessionKeySize(); i++)
	{
	ss[i] = 0;
	}
	}
	}

Be aware that there are 2 bugs in this part of the reference implementation (not fixed yet) that make it deviate from the specifications (GHSA-gpf4-vrrw-r8v7).

Also, the code is using non constant time comparison for u, v and d with Arrays.equal where the reference implementation (even in round 3) use constant time comparison with vect_compare.

bc-java/core/src/main/java/org/bouncycastle/pqc/crypto/hqc/HQCEngine.java

Lines 251 to 264 in c349210

	if (!Arrays.areEqual(u, u2Bytes))
	{
	result = 0;
	}
	if (!Arrays.areEqual(v, v2Bytes))
	{
	result = 0;
	}
	if (!Arrays.areEqual(d, dPrime))
	{
	result = 0;
	}

I don't report this as a security issue as bouncycastle's website states these are available for experimenting.

Célian Glénaz (Quarkslab)

[roy-basmacier]

Hey @celi0n,

I patched HQC to match the 2024-10-30 reference implementation along with the bug fix.

Thanks for the detailed report,
Roy

[dghgit]

New beta has been pushed to https://downloads.bouncycastle.org/betas/ updates should appear on github shortly.