Timing Attacks against the Syndrome Inversion in Code-Based Cryptosystems

Abstract: Abstract. In this work we present the first practical key-aimed timing attack against code-based cryptosystems. It arises from vulnerabilities that are present in the inversion of the error syndrome through the Extended Euclidean Algorithm that is part of the decryption operation of these schemes. Three types of timing vulnerabilities are combined to a successful attack. Each is used to gain information about the secret support, which is part of code-based decryption keys: The first allows recovery of the zero… Show more

“…This type of attack was already published in [16,18]. The two steps using the EEA are considered as independent parts.…”

“…In fact, the main problem of previous attacks is the limited number of cases that can be exploited. They just can be applied on wt(e) ∈ {2, 4} as shown in [16] or wt(e) ∈ {2, 4, 6} as presented in [18].…”

“…It was shown in [18] that the syndrome inversion leaks some information. The attack is based on the number of iterations used in the EEA, in order to compute the inverse of the syndrome polynomial S(x) modulo the Goppa polynomial g(x).…”

“…We will not detail here all conditions, as they are well explained in [18], but we only give some important facts in order to make things clearer and to prepare the attack. Let us consider the ELP…”

“…Falko Strenzke's articles mention several weak points mostly situated in the decoding algorithm [14,16,18,19]. Some of these can be repaired by an intelligent and cautious way of the programming manner where countermeasures were proposed in [1, 3,19].…”

Improved Timing Attacks against the Secret Permutation in the McEliece PKC

“…This type of attack was already published in [16,18]. The two steps using the EEA are considered as independent parts.…”

“…In fact, the main problem of previous attacks is the limited number of cases that can be exploited. They just can be applied on wt(e) ∈ {2, 4} as shown in [16] or wt(e) ∈ {2, 4, 6} as presented in [18].…”

“…It was shown in [18] that the syndrome inversion leaks some information. The attack is based on the number of iterations used in the EEA, in order to compute the inverse of the syndrome polynomial S(x) modulo the Goppa polynomial g(x).…”

“…We will not detail here all conditions, as they are well explained in [18], but we only give some important facts in order to make things clearer and to prepare the attack. Let us consider the ELP…”

“…Falko Strenzke's articles mention several weak points mostly situated in the decoding algorithm [14,16,18,19]. Some of these can be repaired by an intelligent and cautious way of the programming manner where countermeasures were proposed in [1, 3,19].…”

Improved Timing Attacks against the Secret Permutation in the McEliece PKC

A Key-Recovery Timing Attack on Post-quantum Primitives Using the Fujisaki-Okamoto Transformation and Its Application on FrodoKEM

Post-Quantum Hardware Security