Don’t Forget Your Roots: Constant-Time Root Finding over \(\mathbb {F}_{2^m}\)

  • Douglas MartinsEmail author
  • Gustavo Banegas
  • Ricardo Custódio
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11774)


In the last few years, post-quantum cryptography has received much attention. NIST is running a competition to select some post-quantum schemes as standard. As a consequence, implementations of post-quantum schemes have become important and with them side-channel attacks. In this paper, we show a timing attack on a code-based scheme which was submitted to the NIST competition. This timing attack recovers secret information because of a timing variance in finding roots in a polynomial. We present four algorithms to find roots that are protected against remote timing exploitation.


Side-channel attack Post-quantum cryptography Code-based cryptography Roots finding 



We want to thank the reviewers for the thoughtful comments on this work. We would also like to thank Tanja Lange for her valuable feedback. We want to extend the acknowledgments to Sonia Belaïd from Cryptoexperts for the discussions about timing attacks.

Supplementary material


  1. 1.
    Banegas, G., et al.: DAGS: key encapsulation using dyadic GS codes. J. Math. Cryptol. 12(4), 221–239 (2018) MathSciNetCrossRefGoogle Scholar
  2. 2.
    Bardet, M., et al.: BIG QUAKE BInary Goppa QUAsi-cyclic Key Encapsulation, Technical report, National Institute of Standards and Technology (NIST) (2017)Google Scholar
  3. 3.
    Berlekamp, E.: Algebraic Coding Theory. World Scientific (2015)Google Scholar
  4. 4.
    Berlekamp, E.R.: Factoring polynomials over large finite fields. Math. Comput. 24(111), 713–735 (1970)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J.: Cache-timing attacks on AES (2005).
  6. 6.
    Bernstein, D.J., Persichetti, E.: Towards KEM unification. Cryptology ePrint Archive, Report 2018/526 (2018).
  7. 7.
    Biswas, B., Sendrier, N.: HyMES - an open source implementation of the McEliece cryptosystem (2008).
  8. 8.
    Black, P.E.: Fisher-Yates shuffle. In: Dictionary Algorithms Data Structures. Accessed 23 Aug 2019
  9. 9.
    Bruinderink, L.G., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload - a cache attack on the BLISS lattice-based signature scheme. In: Proceedings of the 18th International Conference Cryptographic Hardware and Embedded Systems - CHES 2016, Santa Barbara, CA, USA, 17–19 August 2016, pp. 323–345 (2016). Scholar
  10. 10.
    Bucerzan, D., Cayrel, P.L., Drağoi, V., Richmond, T.: Improved timing attacks against the secret permutation in the McEliece PKC. Int. J. Comput. Commun. Control 12(1), 7–25 (2017)CrossRefGoogle Scholar
  11. 11.
    Chor, B., Rivest, R.L.: A knapsack-type public key cryptosystem based on arithmetic in finite fields. IEEE Trans. Inf. Theor. 34(5), 901–909 (1988)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Chou, T.: McBits revisited. In: Proceedings of the 19th International Conference on Cryptographic Hardware and Embedded Systems - CHES 2017, Taipei, Taiwan, 25–28 September 2017, pp. 213–231 (2017). Scholar
  13. 13.
    Davenport, J.H., Petit, C., Pring, B.: A generalised successive resultants algorithm. In: Duquesne, S., Petkova-Nikova, S. (eds.) WAIFI 2016. LNCS, vol. 10064, pp. 105–124. Springer, Cham (2016). Scholar
  14. 14.
    Fedorenko, S.V., Trifonov, P.V.: Finding roots of polynomials over finite fields. IEEE Trans. Commun. 50(11), 1709–1711 (2002)CrossRefGoogle Scholar
  15. 15.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Netw. Prog. Rep. 44, 114–116 (1978)Google Scholar
  16. 16.
    Misoczki, R., Barreto, P.S.L.M.: Compact McEliece keys from Goppa codes. In: 16th Annual International Workshop on Selected Areas in Cryptography, SAC 2009, Calgary, Alberta, Canada, August 13–14, 2009, Revised Selected Papers, pp. 376–392 (2009). Scholar
  17. 17.
    Patterson, N.: The algebraic decoding of Goppa codes. IEEE Trans. Inf. Theor. 21(2), 203–207 (1975)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Petit, C.: Finding roots in GF\((p^n)\) with the successive resultant algorithm. IACR Cryptology ePrint Archive 2014, 506 (2014)Google Scholar
  19. 19.
    Savage, C.: A survey of combinatorial Gray codes. SIAM Rev. 39(4), 605–629 (1997)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Shoufan, A., Strenzke, F., Molter, H.G., Stöttinger, M.: A timing attack against Patterson algorithm in the McEliece PKC. In: 12th International Conference on Information, Security and Cryptology - ICISC 2009, Seoul, Korea, 2–4 December 2009, Revised Selected Papers, pp. 161–175 (2009). Scholar
  21. 21.
    Strenzke, F.: Fast and secure root finding for code-based cryptosystems. In: Proceedings of the 11th International Conference on Cryptology and Network Security, CANS 2012, Darmstadt, Germany, 12–14 December 2012, pp. 232–246 (2012). Scholar
  22. 22.
    Strenzke, F.: Efficiency and implementation security of code-based cryptosystems. Ph.D. thesis, Technische Universität (2013)Google Scholar
  23. 23.
    The Sage Developers: SageMath, the Sage Mathematics Software System (Version 8.7) (2019).
  24. 24.
    Truong, T.K., Jeng, J.H., Reed, I.S.: Fast algorithm for computing the roots of error locator polynomials up to degree 11 in Reed-Solomon decoders. IEEE Trans. Commun. 49(5), 779–783 (2001)CrossRefGoogle Scholar
  25. 25.
    Wang, W., Szefer, J., Niederhagen, R.: FPGA-based Niederreiter cryptosystem using binary Goppa codes. In: Proceedings of the 9th International Conference Post-Quantum Cryptography, PQCrypto 2018, Fort Lauderdale, FL, USA, 9–11 April 2018, pp. 77–98 (2018). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Douglas Martins
    • 1
    Email author
  • Gustavo Banegas
    • 2
    • 3
  • Ricardo Custódio
    • 1
  1. 1.Departamento de Informática e EstatísticaUniversidade Federal de Santa CatarinaFlorianópolisBrazil
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands
  3. 3.Chalmers University of TechnologyGothenburgSweden

Personalised recommendations