chore(deps): update module github.com/cloudflare/circl to v1.6.3 [security]

[descope]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
github.com/cloudflare/circl	indirect	patch	v1.6.1 → v1.6.3

GitHub Vulnerability Alerts

CVE-2026-1229

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.

The bug was fixed in v1.6.3.

---

Release Notes

cloudflare/circl (github.com/cloudflare/circl)

v1.6.3: CIRCL v1.6.3

Compare Source

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

• sign/mldsa: Check opts for nil value by @​armfazh in #​582
• ecc/p384: Point addition must handle point doubling case. by @​armfazh in #​583
• Release CIRCL v1.6.3 by @​armfazh in #​584

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

v1.6.2: CIRCL v1.6.2

Compare Source

CIRCL v1.6.2

• New SLH-DSA, improvements in ML-DSA for arm64.
• Tested compilation on WASM.

What's Changed

• Optimize pairing product computation by moving exponentiations to G1. by @​dfaranha in #​547
• sign: Adding SLH-DSA signature by @​armfazh in #​512
• Update code generators to CIRCL v1.6.1. by @​armfazh in #​548
• ML-DSA: Add preliminary Wycheproof test vectors by @​bwesterb in #​552
• go fmt by @​bwesterb in #​554
• gz-compressing test vectors, use of HexBytes and ReadGzip functions. by @​armfazh in #​555
• group: Removes use of elliptic Marshal and Unmarshal functions. by @​armfazh in #​556
• Support encoding/decoding ML-DSA private keys (as long as they contain seeds) by @​bwesterb in #​559
• Update to golangci-lint v2 by @​bwesterb in #​560
• Preparation for ARM64 Implementation of poly operations for dilithium package. by @​elementrics in #​562
• prepare power2Round for custom implementations in assembly by @​elementrics in #​564
• ARM64 implementation for poly.PackLe16 by @​elementrics in #​563
• add arm64 version of polyMulBy2toD by @​elementrics in #​565
• add arm64 version of polySub by @​elementrics in #​566
• group: add byteLen method for short groups and RandomScalar uses rand.Int by @​armfazh in #​568
• add arm64 version of poly.Add/Sub by @​elementrics in #​572
• group: Adding cryptobyte marshaling to scalars by @​armfazh in #​569
• Bumping up to Go1.25 by @​armfazh in #​574
• ci: Including WASM compilation. by @​armfazh in #​577
• Revert to using package-declared HPKE errors for shortkem instead of standard library errors by @​harshiniwho in #​578
• Release v1.6.2 by @​armfazh in #​579

New Contributors

• @​dfaranha made their first contribution in #​547
• @​elementrics made their first contribution in #​562
• @​harshiniwho made their first contribution in #​578

Full Changelog: cloudflare/circl@v1.6.1...v1.6.2

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Jerusalem, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.