A Key-Recovery Side-Channel Attack on Classic McEliece Implementations

Guo, Qian; Johansson, Andréas; Johansson, Thomas

doi:10.46586/tches.v2022.i4.800-827

Cited by 13 publications

(5 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In Section 4, we use this result to find the Goppa polynomial directly in the case of weak keys and reduce the complexity of the exhaustive search for the Goppa polynomial on F 2 m . Section 5 compares our attack with a recent side-channel attack of Guo et al [GJJ22] on Classic McEliece and finally, we conclude this paper in Section 6.…”

Section: Contributionmentioning

confidence: 98%

“…Common countermeasure fail against our attack We recall that our attack on the loading function of the Goppa polynomial coefficients is performed on the optimized reference implementation of Classic McEliece on ARM-Cortex M4 [CC21]. This reference implementation represents the side-channel attack target of several recent papers [Cay+21;Col+22b;GJJ22]. Shuffling is nowadays one of the most common and effective countermeasure techniques against most side-channel attacks [CMJ22].…”

mentioning

confidence: 99%

“…This polynomial evaluation over F 2 m is realized thanks to the implementation of the additive FFT after having calculated the error locator polynomial with the Berlekamp-Massey (BM) algorithm. Recently, Guo et al[GJJ22] proposed a key-recovery side-channel attack on reference implementations (on FPGA and ARM Cortex-M4) [CC21; WSN18] of Classic McEliece. They design an attack algorithm in which they submit special ciphertexts to the decryption oracle that correspond to single error cases in the plaintexts.…”

mentioning

confidence: 99%

See 2 more Smart Citations

A Side-Channel Attack Against Classic McEliece When Loading the Goppa Polynomial

Seck

Cayrel

Drăgoi

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The NIST Post-Quantum Cryptography (PQC) standardization challenge was launched in December 2016 and recently, has released its first results. The whole process has given a considerable dynamic to the research in post-quantum cryptography, in particular to practical aspects, such as the study of the vulnerabilities of post-quantum algorithms to side-channel attacks. In this paper, we present a realistic template attack against the reference implementation of Classic McEliece which is a finalist of the 4th round of NIST PQC standardization. This profiled attack allowed us to accurately find the Hamming weight of each coefficient of the Goppa polynomial. With only one decryption, this result enables us first, to find directly the Goppa polynomial in the case of weak keys with the method of Loidreau and Sendrier (P. Loidreau and N. Sendrier, "Weak keys in the McEliece public-key cryptosystem", IEEE Trans. Inf. Theory, 2001). Then, in the case of "slightly less weak keys", we also find this polynomial with an exhaustive search with low complexity. Finally, we propose the best complexity reduction for exhaustive Goppa polynomial search on F2m . We attack the constant-time implementation of Classic McEliece proposed by Chen et al.. This implementation, which follows the NIST specification, is realized on a stm32f4-Discovery microcontroller with a 32-bit ARM Cortex-M4.

show abstract

Section: Contributionmentioning

confidence: 98%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

A Side-Channel Attack Against Classic McEliece When Loading the Goppa Polynomial

Seck

Cayrel

Drăgoi

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In particular, Classic McEliece has been implemented on 32-bit microprocessor ARM Cortex-M4 [7], with the limitation that the public key must be stored in the flash memory, and on a Xlilinx Artix-7 FPGA [8]. Implementations on constrained platforms, such as micro-controllers or FPGAs, also lead to physical attacks against different algorithms of codebased cryptography [13,5,9,12]. For example, it has been shown that the session key can be recovered by side-channel attacks with multiple observations during the decapsulation process [13] or with a single observation during the encapsulation process [9].…”

Section: Introductionmentioning

confidence: 99%

Punctured Syndrome Decoding Problem

Grosso

Cayrel

Colombier

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Among the fourth round finalists of the NIST post-quantum cryptography standardization process for public-key encryption algorithms and key encapsulation mechanisms, three rely on hard problems from coding theory. Key encapsulation mechanisms are frequently used in hybrid cryptographic systems: a public-key algorithm for key exchange and a secret key algorithm for communication. A major point is thus the initial key exchange that is performed thanks to a key encapsulation mechanism. In this paper, we analyze side-channel vulnerabilities of the key encapsulation mechanism implemented by the Classic McEliece cryptosystem, whose security is based on the syndrome decoding problem. We use side-channel leakages to reduce the complexity of the syndrome decoding problem by reducing the length of the code considered. The columns punctured from the original code reduce the complexity of a hard problem from coding theory. This approach leads to efficient profiled side-channel attacks that recover the session key with high success rates, even in noisy scenarios.

show abstract

“…This is the only known timing attack on HQC and one can protect against it by a more careful implementation of the rejection sampling step. The attack efficiency was further improved in [GNNJ23] with techniques from coding theory.…”

Section: Introductionmentioning

confidence: 99%

Cache-Timing Attack Against HQC

Huang

Sim

Chuengsatiansup

et al. 2023

TCHES

View full text Add to dashboard Cite

In this paper, we present the first chosen-ciphertext (CC) cache-timing attacks on the reference implementation of HQC. We build a cache-timing based distinguisher for implementing a plaintext-checking (PC) oracle. The PC oracle uses side-channel information to check if a given ciphertext decrypts to a given message. This is done by identifying a vulnerability during the generating process of two vectors in the reference implementation of HQC. We also propose a new method of using PC oracles for chosen-ciphertext side-channel attacks against HQC, which may have independent interest.We show a general proof-of-concept attack, where we use the Flush+Reload technique and also derive, in more detail, a practical attack on an HQC execution on Intel SGX, where the Prime+Probe technique is used. We show the exact path to do key recovery by explaining the detailed steps, using the PC oracle. In both scenarios, the new attack requires 53, 857 traces on average with much fewer PC oracle calls than the timing attack of Guo et al. CHES 2022 on an HQC implementation.

show abstract

A Key-Recovery Side-Channel Attack on Classic McEliece Implementations

Cited by 13 publications

References 20 publications

A Side-Channel Attack Against Classic McEliece When Loading the Goppa Polynomial

A Side-Channel Attack Against Classic McEliece When Loading the Goppa Polynomial

Punctured Syndrome Decoding Problem

Cache-Timing Attack Against HQC

Contact Info

Product

Resources

About