Dear Alex, Dan, and Tanja,
Thank you for sharing your observation regarding the reference C code of PALOMA.
We have carefully reviewed the bug you've outlined.
Source Code Changes
In the utility/decap.c file, specifically within the decap() function, we have made modifications to the check_err_vec function call as follows:
Before:
--------------------------------------------------------------------------------------
if (!check_err_vec(e_hat))
{
puts("invalid error vector: error vector does not have t errors.");
exit(1);
}
--------------------------------------------------------------------------------------
After:
--------------------------------------------------------------------------------------
/* Delete the following 5 lines. */
// if (!check_err_vec(e_hat))
// {
// puts("invalid error vector: error vector does not have t error.");
// exit(1);
// }
--------------------------------------------------------------------------------------
It was code intended for debugging during development, and it was mistakenly not deleted.
With this remove, if the Hamming weight of the error vector after decryption is not t, implicit rejection is triggered, and the aforementioned modification enables the software to defend against the scenario.
Additionally, we are actively working on further improvements from a secure implementation perspective. Updates reflecting these changes will soon be available on the PALOMA Website .
Once again, we appreciate your thorough analysis of PALOMA and the insights you've provided.
Best regards,
PALOMA TEAM