Security warnings

Most of the primitives (mathematical functions) in libpqcrypto are new. For quantitative and qualitative security analysis, see the individual submission packages, and watch NIST's pqc-forum for updates.

There could be security problems in libpqcrypto even if all the proposed primitives achieve their security goals. Most of the software in libpqcrypto is new and has not been audited. In particular:

• There could be software bugs that result in the software computing different functions from the proposals, and these differences could destroy security.
• The command-line tools have additional code (input, output, KEM-DEM hybrids, etc.)~and have not been audited.
• Some of the software has data-dependent branches and data-dependent array indices, presumably leaking secrets through timings.

New projects in high-assurance cryptographic software are working towards engineering a new generation of software with formally verified guarantees of constant-time behavior and full functional correctness. Future updates to libpqcrypto will take advantage of this.