ring affected by CVE-2022-37454?

[dns2utf8]

Hi all

I did not have time to look into this, but are we affected too?

A Vulnerability in Implementations of SHA-3, SHAKE, EdDSA, and Other NIST-Approved Algorithms https://eprint.iacr.org/2023/331.pdf

[newpavlov]

As far as I understand the issue, no, our code (i.e. the sha3 crate) should not be affected. We do block splitting generically using the block-buffer crate without any casting shenanigans between 32 and 64 bit integers.

As for ring, it's better to ask in the ring repo, not here, as it's not part of the RustCrypto project.

[dns2utf8]

That are good points, thank you! Could we add the test vectors they found just to be safe?

[newpavlov]

To trigger the issue on affected code you need to hash 4GiB+. It's too much for integration tests which we run in our CI.