HQC round 4 rng initialization

[strongX509]

We have just upgraded to liboqs-0.10.0 which includes the HQC round 4 implementation. Our generic test suite for KEM algorithms is feeding the seed of the KAT files to a DRBG in AES256 counter mode as required by NIST but the HQC tests miserably fail because the RNG initialization is done in a proprietary way. I see that the liboqs project has adapted the RNG initalization for HQC accordingly in order for the KAT tests to succeed. Any information on why HQC has chosen a different approach which is really a PITA?

[baentsch]

Any information on why HQC has chosen a different approach

I personally don't; maybe @dstebila @SWilson4 ? In general, we provide a direct link in the documentation to allow checking back with every algorithm-specific source of truth. Should you get insight there, it'd be nice to link the rationale here, too for others to benefit searching this archive.

[SWilson4]

HQC started using SHA3 instead of the NIST DRBG in the Round 4 submission. I don't know what the rationale for this decision was.

I feel your pain as I had to make workarounds in both PQClean and liboqs to switch out the KAT PRNG for HQC specifically. The good news is that the "proprietary" DRBG is just SHAKE256, so it's not a lot of work to get it running.