Subject: [pqc-forum] OFFICIAL COMMENT: RaCoSS From: Lorenz Panny Reply-To: authorcontact-racoss@box.cr.yp.to Date: Sat, 23 Dec 2017 15:10:48 +0100 To: pqc-comments@nist.gov CC: pqc-forum@list.nist.gov Message-ID: <20171223151048.339ea47e@l> Dear designers, dear all, In looking for a signature forgery we noticed that in some cases, almost any message passes as valid for a given signature when using the code in Reference_Implementation. This is because of a confusion between bits and bytes, thus only 1/8th of the entries of c get compared: for( i=0 ; i<(RACOSS_N/8) ; i++ ) /* compare ith bit and fail on mismatch */ Since c has very low weight, this succeeds with high probability: The signature of the first KAT "signs" about 67% of all messages because c starts with 300 zero bits. If c has {1, 2, 3} of the first 300 bits set, the probability that a random message is accepted for a given signature drops to about {2^-10, 2^-20, 2^-31}. Moreover, we also noticed memory leaks in wrhf() and crypto_sign_open(); in both cases the arrays obtained via malloc() are not free()d. Regards Andreas, Dan, Lorenz, and Tanja ----------- Andreas Huelsing, Daniel J. Bernstein, Lorenz Panny, Tanja Lange -- You received this message because you are subscribed to the Google Groups "pqc-forum" group. To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+unsubscribe@list.nist.gov. Visit this group at https://groups.google.com/a/list.nist.gov/group/pqc-forum/.