Profiled Side-Channel Attack on Cryptosystems Based on the Binary Syndrome Decoding Problem

Colombier, Brice; Drăgoi, Vlad; Cayrel, Pierre-Louis; Grosso, Vincent

doi:10.1109/tifs.2022.3198277

Cited by 6 publications

(21 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To perform classification of the HW classes, we have decided to Random Forest, the reason being is that it has been shown to be successful in the previous works [CDCG22] and it does not have to deal with a more complex hyperparameter tuning usually encountered in more complex models. Random Forest or RF [Bre01] is an ensemble learning algorithm, based on the construction of multiple decision trees.…”

Section: Profiling Phasementioning

confidence: 99%

Defeating Low-Cost Countermeasures against Side-Channel Attacks in Lattice-based Encryption

Ravi,

Paiva,

Jap

et al. 2024

TCHES

View full text Add to dashboard Cite

In an effort to circumvent the high cost of standard countermeasures against side-channel attacks in post-quantum cryptography, some works have developed low-cost detection-based countermeasures. These countermeasures try to detect maliciously generated input ciphertexts and react to them by discarding the ciphertext or secret key. In this work, we take a look at two previously proposed low-cost countermeasures: the ciphertext sanity check and the decapsulation failure check, and demonstrate successful attacks on these schemes. We show that the first countermeasure can be broken with little to no overhead, while the second countermeasure requires a more elaborate attack strategy that relies on valid chosen ciphertexts. Thus, in this work, we propose the first chosen-ciphertext based side-channel attack that only relies on valid ciphertexts for key recovery. As part of this attack, a third contribution of our paper is an improved solver that retrieves the secret key from linear inequalities constructed using side-channel leakage from the decryption procedure. Our solver is an improvement over the state-of-the-art Belief Propagation solvers by Pessl and Prokop, and later Delvaux. Our method is simpler, easier to understand and has lower computational complexity, while needing less than half the inequalities compared to previous methods.

show abstract

Section: Profiling Phasementioning

confidence: 99%

Defeating Low-Cost Countermeasures against Side-Channel Attacks in Lattice-based Encryption

Ravi,

Paiva,

Jap

et al. 2024

TCHES

View full text Add to dashboard Cite

show abstract

“…such that Sz T = z * . To get z * in N n−k , we will use the same method of the power analysis attack in [10]. This method is based on side-channel analysis using random forests to recover z * from the Hamming weight information obtained from the matrix-vector product in the first step of Niederreiter decryption.…”

Section: Contributionmentioning

confidence: 99%

“…) correctly, we can directly find the secret of the cryptosystem. We obtain directly the secret without solving the syndrome decoding problem unlike in [9,10] and this is applicable for most of the code-based cryptosystems.…”

Section: Contributionmentioning

confidence: 99%

“…Afterwards, Colombier et al [10] proposed to perform a message-recovery attack in Classic McEliece that relies on side-channel information only instead of laser fault injection in the previous work [9]. The latter depends on the very strong attacker model and does not apply to optimized implementations of the algorithm that make optimal usage of the machine words capacity.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Key-Recovery by Side-Channel Information on the Matrix-Vector Product in Code-Based Cryptosystems

Seck

Cayrel

Diop³

et al. 2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

show abstract

“…Common countermeasure fail against our attack We recall that our attack on the loading function of the Goppa polynomial coefficients is performed on the optimized reference implementation of Classic McEliece on ARM-Cortex M4 [CC21]. This reference implementation represents the side-channel attack target of several recent papers [Cay+21;Col+22b;GJJ22]. Shuffling is nowadays one of the most common and effective countermeasure techniques against most side-channel attacks [CMJ22].…”

mentioning

confidence: 99%

A Side-Channel Attack Against Classic McEliece When Loading the Goppa Polynomial

Seck

Cayrel

Drăgoi

et al. 2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The NIST Post-Quantum Cryptography (PQC) standardization challenge was launched in December 2016 and recently, has released its first results. The whole process has given a considerable dynamic to the research in post-quantum cryptography, in particular to practical aspects, such as the study of the vulnerabilities of post-quantum algorithms to side-channel attacks. In this paper, we present a realistic template attack against the reference implementation of Classic McEliece which is a finalist of the 4th round of NIST PQC standardization. This profiled attack allowed us to accurately find the Hamming weight of each coefficient of the Goppa polynomial. With only one decryption, this result enables us first, to find directly the Goppa polynomial in the case of weak keys with the method of Loidreau and Sendrier (P. Loidreau and N. Sendrier, "Weak keys in the McEliece public-key cryptosystem", IEEE Trans. Inf. Theory, 2001). Then, in the case of "slightly less weak keys", we also find this polynomial with an exhaustive search with low complexity. Finally, we propose the best complexity reduction for exhaustive Goppa polynomial search on F2m . We attack the constant-time implementation of Classic McEliece proposed by Chen et al.. This implementation, which follows the NIST specification, is realized on a stm32f4-Discovery microcontroller with a 32-bit ARM Cortex-M4.

show abstract

Profiled Side-Channel Attack on Cryptosystems Based on the Binary Syndrome Decoding Problem

Cited by 6 publications

References 42 publications

Defeating Low-Cost Countermeasures against Side-Channel Attacks in Lattice-based Encryption

Defeating Low-Cost Countermeasures against Side-Channel Attacks in Lattice-based Encryption

Key-Recovery by Side-Channel Information on the Matrix-Vector Product in Code-Based Cryptosystems

A Side-Channel Attack Against Classic McEliece When Loading the Goppa Polynomial

Contact Info

Product

Resources

About