PT-2026-27356 · Crates.Io · Libcrux-Sha3
Published
2026-03-04
·
Updated
2026-03-04
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The incremental squeeze functions in the portable SHAKE XOF API, when
attempting to squeeze more than
RATE (168 for SHAKE128, 136 for
SHAKE256) bytes, performed an additional permutation of the state
before producing the first output block, thus discarding the first
block of RATE bytes of valid XOF output.Impact
This bug impacts users that rely on this XOF API to squeeze more than
RATE bytes. It does not impact the use of libcrux-sha3 in
libcrux-ml-kem or libcrux-ml-dsa.Mitigation
Starting from version
0.0.8 the squeeze functions correctly output
all blocks including the first block. Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Libcrux-Sha3