GHSA-h864-m8vm-3xvj: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-h864-m8vm-3xvj) affects the Post-Quantum Signature scheme Rainbow level I parametersets in the oqs Rust crate versions below 0.7.2. The vulnerability was discovered by Ward Beullens who found a practical key-recovery attack against Rainbow, which was announced on February 25, 2022. The affected systems include all oqs::sig::Algorithm::RainbowI* variants (NIST Forum, RustSec).

The vulnerability allows for a practical key-recovery attack that can recover a private key for the Security Level I parameter set. The attack was demonstrated to work on a laptop in approximately 53 hours using the implementation of block Wiedemann XL. The attack was confirmed by the Rainbow team who acknowledged missing this simple attack vector (NIST Forum).

The vulnerability completely compromises the security of Rainbow Level I parameters, making it possible to recover private keys in a practical timeframe using modest computing resources. This affects any systems or applications relying on Rainbow Level I for post-quantum cryptographic signatures (GitHub Advisory).

Users should upgrade to oqs version 0.7.2 or later, where the Rainbow level I parametersets have been removed. The Rainbow team proposed replacing the Level 1 parameters with Level 3 parameters and Level 3 with Level 5 parameters as a mitigation strategy (GitHub Advisory, NIST Forum).

The cryptographic community responded quickly to the discovery, with the Rainbow team promptly acknowledging the vulnerability and implementing the attack to verify its effectiveness. There were discussions about Rainbow's future in the NIST Post-Quantum Cryptography standardization process, with some experts suggesting that Rainbow should not advance to the next round (NIST Forum).