Use NIST PQC Round 4 implementation of Classic McEliece

[stv0g]

Blockers:

• OQS Version 9 ((Milestone)[https://github.com/open-quantum-safe/liboqs/milestone/22], (OQS 9 RC 1)[https://github.com/open-quantum-safe/liboqs/releases/tag/0.9.0-rc1])
• oqs-sys OQS 9 Support Bump PR 1

---

Cloudflare's CIRCL McEliece implementation implements the KEM based on the NIST PQC round 4 specification.

Round 4 has removed the plaintext confirmation (pc) from the ciphertext and as a result uses 32-byte shorted secret keys which are incompatible with the liboqs implementation which is based on the Round 3 specification (or Round 2 which rosenpass is actually using).

The website of Classic McEliece also mentioned this explicitly in their implementations section:

The older "pc" variants have 32 extra bytes in ciphertexts.

The Rosenpass whitepaper does not specify which version of the KEM must be used.

The Rust implementation of Rosenpass uses the even older Round 2 implementation provided by liboqs.

I propose to switch to the updated Round 4 version.

See also

• Implement Classic McEliece cloudflare/circl#378 (comment)
• https://classic.mceliece.org/mceliece-pc-20221023.pdf
• https://classic.mceliece.org/impl.html

[stv0g]

@koraa Should we maybe create a v1 milestone in GitHub to track the issues which need to be resolved before v1?

If you agree, I would add this issue to this milestone.

[koraa]

https://crates.io/crates/pqcrypto

This might be a good alternative.

[clausecker]

Note that liboqs has switched to the round 4 specification with oqs-sys v0.9.0. Perhaps you could bump the dependency?

As a bonus, this would also permit unbundling liboqs as per issue #19.

[prabhpreet]

#266 or #292 will close this in the implementation

[prabhpreet]

Closed by #292