Don’t Forget Your Roots: Constant-Time Root Finding over $$\mathbb {F}_{2^m}$$

“…Our proposal is based on the works of Berlekamp as is the Berlekamp Trace Algorithm. The proposal for BTA in [Martins et al 2019] results in a more constant performance when comparing the number of CPU cycles of multiple executions of the algorithm to find the roots of polynomials of a certain degree t. It does not address the variation in the number of CPU cycles when receiving an input of degree t and receiving an input of degree d < t, as we do in this work. Our proposal focuses on a more constant behavior when comparing the number of CPU cycles it takes to find the roots of polynomials of different degrees d < t when expecting t errors in the McEliece cryptosystem.…”

“…In [Martins et al 2019], proposals are given to avoid timing side-channel attacks over the root-finding algorithm in the decoding step. The work describes countermeasures for four methods: exhaustive search, linearized polynomials, Berlekamp Trace Algorithm (BTA), and the Successive Resultant Algorithm.…”

“…Both have constant-time behavior for any input polynomial, regardless of the input degree. In [Martins et al 2019] some countermeasures are proposed for other deterministic algorithms. However, countermeasures for probabilistic algorithms are not included.…”

Towards constant-time probabilistic root finding for code-based cryptography

“…Our proposal is based on the works of Berlekamp as is the Berlekamp Trace Algorithm. The proposal for BTA in [Martins et al 2019] results in a more constant performance when comparing the number of CPU cycles of multiple executions of the algorithm to find the roots of polynomials of a certain degree t. It does not address the variation in the number of CPU cycles when receiving an input of degree t and receiving an input of degree d < t, as we do in this work. Our proposal focuses on a more constant behavior when comparing the number of CPU cycles it takes to find the roots of polynomials of different degrees d < t when expecting t errors in the McEliece cryptosystem.…”

“…In [Martins et al 2019], proposals are given to avoid timing side-channel attacks over the root-finding algorithm in the decoding step. The work describes countermeasures for four methods: exhaustive search, linearized polynomials, Berlekamp Trace Algorithm (BTA), and the Successive Resultant Algorithm.…”

“…Both have constant-time behavior for any input polynomial, regardless of the input degree. In [Martins et al 2019] some countermeasures are proposed for other deterministic algorithms. However, countermeasures for probabilistic algorithms are not included.…”

Towards constant-time probabilistic root finding for code-based cryptography

Probabilistic root finding in code-based cryptography