Hello Again,
The candidate HuFu allows signature forgeries by bit flipping of specific bits of the signature encoding. This technically breaks the proposal's strong unforgeability (SUF-CMA) security claim (Section 2.2.)
For example, given the count = 0 test vector for Level 1 HuFu ( PQCsignKAT_11417440.rsp ), we may change bit 4 of byte 820 from 14 to 04:
sm = 09649401450 .. 54E2D7[14]3C2DCF .. 93BC06BC3041C66
sm = 09649401450 .. 54E2D7[04]3C2DCF .. 93BC06BC3041C66
Both signatures verify. Five other signature bits can be changed without causing the signature to be rejected -- or a more severe malfunction (see below). A brief investigation seems to point to unspecified/ambiguous encoding of the bits between the rANS "high" and "low" portions.
The signature verification code of HuFu also contains buffer overflow vulnerabilities. One is remarkably similar to the one in Haetae (resembling Heartbleed) from a "forensic" perspective -- even though the authorship appears to be completely different.
File `HuFu-noKATs/HuFu/Reference_Implementation/crypto_sign/HuFu_NIST1/sign.c`, function `crypto_sign_open()`:
```
220: // recover sig_len
221: unsigned sig_len = ((unsigned)sm[0] << 8) | sm[1];
222: *mlen = smlen - sig_len - PARAM_SALT_BYTES - 2;
223:
224: // Step 6: recover u
225: uint8_t mexp[*mlen+PARAM_SALT_BYTES];
226: memcpy(mexp , sm + 2 + sig_len, *mlen+PARAM_SALT_BYTES);
227: memcpy(m, mexp, *mlen);
```
We observe that the 16-bit length variable `sig_len` decoded on line 221 is not checked but used in an address computation at line 226. This is a critical-level remote code execution and/or sensitive data leak vulnerability if instantiated in an application.
This is not an exhaustive list of vulnerabilities -- there appear to be additional problems at the end of the signature (I have an untriaged buffer overflow with bit flips there), and I did examine the public key encoding (which is also attacker-controlled in server applications) apart from finding that it can also be modified without affecting the signature verification result (no attention paid to BUFF.)
Cheers,
markku