golang: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY]

[ata-no-one]

This PR contains the following updates:

Package	Type	Update	Change
github.com/cloudflare/circl	indirect	patch	v1.6.1 -> v1.6.3

---

⚠️ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2026-1229

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.

The bug was fixed in v1.6.3.

---

Release Notes

cloudflare/circl (github.com/cloudflare/circl)

v1.6.3: CIRCL v1.6.3

Compare Source

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

• sign/mldsa: Check opts for nil value by @​armfazh in https://github.com/cloudflare/circl/pull/582
• ecc/p384: Point addition must handle point doubling case. by @​armfazh in https://github.com/cloudflare/circl/pull/583
• Release CIRCL v1.6.3 by @​armfazh in https://github.com/cloudflare/circl/pull/584

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

v1.6.2: CIRCL v1.6.2

Compare Source

CIRCL v1.6.2

• New SLH-DSA, improvements in ML-DSA for arm64.
• Tested compilation on WASM.

What's Changed

• Optimize pairing product computation by moving exponentiations to G1. by @​dfaranha in https://github.com/cloudflare/circl/pull/547
• sign: Adding SLH-DSA signature by @​armfazh in https://github.com/cloudflare/circl/pull/512
• Update code generators to CIRCL v1.6.1. by @​armfazh in https://github.com/cloudflare/circl/pull/548
• ML-DSA: Add preliminary Wycheproof test vectors by @​bwesterb in https://github.com/cloudflare/circl/pull/552
• go fmt by @​bwesterb in https://github.com/cloudflare/circl/pull/554
• gz-compressing test vectors, use of HexBytes and ReadGzip functions. by @​armfazh in https://github.com/cloudflare/circl/pull/555
• group: Removes use of elliptic Marshal and Unmarshal functions. by @​armfazh in https://github.com/cloudflare/circl/pull/556
• Support encoding/decoding ML-DSA private keys (as long as they contain seeds) by @​bwesterb in https://github.com/cloudflare/circl/pull/559
• Update to golangci-lint v2 by @​bwesterb in https://github.com/cloudflare/circl/pull/560
• Preparation for ARM64 Implementation of poly operations for dilithium package. by @​elementrics in https://github.com/cloudflare/circl/pull/562
• prepare power2Round for custom implementations in assembly by @​elementrics in https://github.com/cloudflare/circl/pull/564
• ARM64 implementation for poly.PackLe16 by @​elementrics in https://github.com/cloudflare/circl/pull/563
• add arm64 version of polyMulBy2toD by @​elementrics in https://github.com/cloudflare/circl/pull/565
• add arm64 version of polySub by @​elementrics in https://github.com/cloudflare/circl/pull/566
• group: add byteLen method for short groups and RandomScalar uses rand.Int by @​armfazh in https://github.com/cloudflare/circl/pull/568
• add arm64 version of poly.Add/Sub by @​elementrics in https://github.com/cloudflare/circl/pull/572
• group: Adding cryptobyte marshaling to scalars by @​armfazh in https://github.com/cloudflare/circl/pull/569
• Bumping up to Go1.25 by @​armfazh in https://github.com/cloudflare/circl/pull/574
• ci: Including WASM compilation. by @​armfazh in https://github.com/cloudflare/circl/pull/577
• Revert to using package-declared HPKE errors for shortkem instead of standard library errors by @​harshiniwho in https://github.com/cloudflare/circl/pull/578
• Release v1.6.2 by @​armfazh in https://github.com/cloudflare/circl/pull/579

New Contributors

• @​dfaranha made their first contribution in https://github.com/cloudflare/circl/pull/547
• @​elementrics made their first contribution in https://github.com/cloudflare/circl/pull/562
• @​harshiniwho made their first contribution in https://github.com/cloudflare/circl/pull/578

Full Changelog: cloudflare/circl@v1.6.1...v1.6.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.