Skip to main content
SpringerLink
Log in

Message-Recovery Laser Fault Injection Attack on the Classic McEliece Cryptosystem

  • Conference paper
  • First Online:
Book cover Advances in Cryptology – EUROCRYPT 2021 (EUROCRYPT 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12697))

Abstract

Code-based public-key cryptosystems are promising candidates for standardization as quantum-resistant public-key cryptographic algorithms. Their security is based on the hardness of the syndrome decoding problem. Computing the syndrome in a finite field, usually \(\mathbb {F}_{2}\), guarantees the security of the constructions. We show in this article that the problem becomes considerably easier to solve if the syndrome is computed in \(\mathbb {N}\) instead. By means of laser fault injection, we illustrate how to compute the matrix-vector product in \(\mathbb {N}\) by corrupting specific instructions, and validate it experimentally. To solve the syndrome decoding problem in \(\mathbb {N}\), we propose a reduction to an integer linear programming problem. We leverage the computational efficiency of linear programming solvers to obtain real-time message recovery attacks against the code-based proposal to the NIST Post-Quantum Cryptography standardization challenge. We perform our attacks in the worst-case scenario, i.e. considering random binary codes, and retrieve the initial message within minutes on a desktop computer.

Our attack targets the reference implementation of the Niederreiter cryptosystem in the NIST PQC competition finalist Classic McEliece and is practically feasible for all proposed parameters sets of this submission. For example, for the 256-bit security parameters sets, we successfully recover the message in a couple of seconds on a desktop computer Finally, we highlight the fact that the attack is still possible if only a fraction of the syndrome entries are faulty. This makes the attack feasible even though the fault injection does not have perfect repeatability and reduces the computational complexity of the attack, making it even more practical overall.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 139.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://classic.mceliece.org/nist.html.

  2. 2.

    https://www.shoup.net/ntl/.

  3. 3.

    https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf.

  4. 4.

    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf.

  5. 5.

    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.pdf.

  6. 6.

    http://lpsolve.sourceforge.net/5.5/.

  7. 7.

    https://www.ibm.com/products/ilog-cplex-optimization-studio.

  8. 8.

    https://www.gurobi.com.

  9. 9.

    https://static.docs.arm.com/ddi0403/e/DDI0403E_B_armv7m_arm.pdf.

  10. 10.

    as implemented by the syndrome function in the encrypt.c source file of the software submission of Classic McEliece : https://classic.mceliece.org/nist.html.

  11. 11.

    https://static.docs.arm.com/ddi0403/e/DDI0403E_B_armv7m_arm.pdf.

  12. 12.

    http://ww1.microchip.com/downloads/en/devicedoc/31029a.pdf.

  13. 13.

    https://riscv.org/specifications/isa-spec-pdf/.

References

  1. Albrecht, M.R., et al.: Classic McEliece, submission to the NIST post quantum standardization process (November 2017)

    Google Scholar 

  2. Andersen, E.D., Andersen, K.D.: The MOSEK interior point optimizer for linear programming: an implementation of the homogeneous algorithm. In: Frenk, H., Roos, K., Terlaky, T., Zhang, S. (eds.) High performance optimization, vol. 33, pp. 197–232. Springer, Boston (2000) https://doi.org/10.1007/978-1-4757-3216-0_8

  3. Aragon, N., et al.: BIKE: Bit Flipping Key Encapsulation, submission to the NIST post quantum standardization process (December 2017)

    Google Scholar 

  4. Aragon, N., et al.: Rollo (merger of Rank-Ouroboros, LAKE and LOCKER). Second round submission to the NIST post-quantum cryptography call (2020)

    Google Scholar 

  5. Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., Santini, P.: LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 3–24. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_1

    Chapter  MATH  Google Scholar 

  6. Barenghi, A., Bertoni, G.M., Breveglieri, L., Pellicioli, M., Pelosi, G.: Fault attack on AES with single-bit induced faults. In: International Conference on Information Assurance and Security, pp. 167–172. Atlanta, IEEE (August 2010)

    Google Scholar 

  7. Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in \(2^{n/20}\): how 1+1=0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31

    Chapter  MATH  Google Scholar 

  8. Berlekamp, E.R., McEliece, R.J., van Tilborg, H.C.A.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theor. 24(3), 384–386 (1978)

    Google Scholar 

  9. Bernstein, D.J.: Post-quantum cryptography. In: van Tilborg, H.C.A., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, 2nd edn., pp. 949–950. Springer, New York (2011). https://doi.org/10.1007/978-1-4419-5906-5_386

  10. Bertsimas, D., Tsitsiklis, J.N.: Introduction to Linear Organisation, Athena Scientific Optimization and Computation Series, vol. 6. Athena Scientific, Belmont (1997)

    Google Scholar 

  11. Borghoff, J.: Mixed-integer linear programming in the analysis of trivium and ktantan. IACR Cryptology ePrint Archive 2012, 676 (2012). http://eprint.iacr.org/2012/676

  12. Borghoff, J., Knudsen, L.R., Stolpe, M.: Bivium as a mixed-integer linear programming problem. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 133–152. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10868-6_9

    Chapter  Google Scholar 

  13. Bukasa, S.K., Lashermes, R., Lanet, J., Legay, A.: Let’s shock our IoT’s heart: ARMv7-M under (fault) attacks. In: Doerr, S., Fischer, M., Schrittwieser, S., Herrmann, D. (eds.) International Conference on Availability, Reliability and Security, pp. 33:1–33:6. ACM, Hamburg, Germany (August 2018)

    Google Scholar 

  14. Colombier, B., Menu, A., Dutertre, J.M., Moëllic, P.A., Rigaud, J.B., Danger, J.L.: Laser-induced single-bit faults in flash memory: Instructions corruption on a 32-bit microcontroller. In: IEEE International Symposium on Hardware Oriented Security and Trust, pp. 1–10. McLean, VA, USA (May 2019)

    Google Scholar 

  15. Dantzig, G.B.: Maximization of a linear function of variables subject to linear inequalities. Activity Anal. Prod. Allocation 13, 339–347 (1951)

    MathSciNet  Google Scholar 

  16. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)

    Article  MathSciNet  Google Scholar 

  17. Dragoi, V.F., Cayrel, P.L., Colombier, B., Bucerzan, D., Hoara, S.: Solving a modified syndrome decoding problem using integer programming. Int. J. Comput. Commun. Control 15(5), 1–9 (2020)

    Article  Google Scholar 

  18. Dutertre, J.-M., Riom, T., Potin, O., Rigaud, J.-B.: Experimental analysis of the laser-induced instruction skip fault model. In: Askarov, A., Hansen, R.R., Rafnsson, W. (eds.) NordSec 2019. LNCS, vol. 11875, pp. 221–237. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35055-0_14

    Chapter  Google Scholar 

  19. Feldman, J.: Decoding error-correcting codes via linear programming. Ph.D. thesis, Massachusetts Institute of Technology, Cambridge, MA, USA (2003)

    Google Scholar 

  20. Feldman, J., Wainwright, M.J., Karger, D.R.: Using linear programming to decode binary linear codes. IEEE Trans. Inf. Theory 51(3), 954–972 (2005)

    Article  MathSciNet  Google Scholar 

  21. Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005). https://doi.org/10.1007/11506447_4

    Chapter  Google Scholar 

  22. Helmling, M., Ruzika, S., Tanatmis, A.: Mathematical programming decoding of binary linear codes: theory and algorithms. IEEE Trans. Inf. Theory 58(7), 4753–4769 (2012)

    Article  MathSciNet  Google Scholar 

  23. Johnson, E.L., Nemhauser, G.L., Savelsbergh, M.W.P.: Progress in linear programming-based algorithms for integer programming: an exposition. INFORMS J. Comput. 12(1), 2–23 (2000)

    Article  MathSciNet  Google Scholar 

  24. Karmarkar, N.: A new polynomial-time algorithm for linear programming. Combinatorica 4(4), 373–396 (1984)

    Article  MathSciNet  Google Scholar 

  25. Klee, V., Minty, G.J.: How good is the simplex algorithm. Inequalities 3(3), 159–175 (1972)

    MathSciNet  MATH  Google Scholar 

  26. Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)

    Article  MathSciNet  Google Scholar 

  27. Lahr, N., Niederhagen, R., Petri, R., Samardjiska, S.: Side channel information set decoding using iterative chunking. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 881–910. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_29

    Chapter  Google Scholar 

  28. Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: Barstow, D., Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_25

    Chapter  Google Scholar 

  29. Lee, Y.T., Sidford, A.: Efficient inverse maintenance and faster algorithms for linear programming. In: Guruswami, V. (ed.) IEEE Annual Symposium on Foundations of Computer Science, pp. 230–249. IEEE Computer Society, Berkeley, CA, USA (October 2015)

    Google Scholar 

  30. Leon, J.S.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. Inf. Theory 34(5), 1354–1359 (1988)

    Article  MathSciNet  Google Scholar 

  31. Liao, H., Gebotys, C.H.: Methodology for EM fault injection: charge-based fault model. In: Teich, J., Fummi, F. (eds.) Design, Automation & Test in Europe Conference & Exhibition, pp. 256–259. IEEE, Florence, Italy (March 2019)

    Google Scholar 

  32. Luppold, A., Oehlert, D., Falk, H.: Evaluating the performance of solvers for integer-linear programming. Technical Report, Hamburg University of Technology (2018). https://doi.org/10.15480/882.1839, https://tore.tuhh.de/handle/11420/1842

  33. MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error Correcting Codes, vol. 16. Elsevier, New York (1977)

    Google Scholar 

  34. May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6

    Chapter  MATH  Google Scholar 

  35. May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9

    Chapter  Google Scholar 

  36. McEliece, R.J.: A public-key system based on algebraic. Coding Theory 4244, 114–116 (1978)

    Google Scholar 

  37. Megiddo, N.: On finding primal- and dual-optimal bases. INFORMS J. Comput. 3(1), 63–65 (1991)

    Article  MathSciNet  Google Scholar 

  38. Menu, A., Dutertre, J., Rigaud, J., Colombier, B., Moëllic, P., Danger, J.: Single-bit laser fault model in NOR flash memories: analysis and exploitation. In: Workshop on Fault Detection and Tolerance in Cryptography, pp. 41–48. IEEE, Milan, Italy (September 2020)

    Google Scholar 

  39. Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31

    Chapter  Google Scholar 

  40. Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: Towards a fault model on a 32-bit microcontroller. In: Fischer, W., Schmidt, J. (eds.) Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 77–88. IEEE Computer Society, Los Alamitos, CA, USA (August 2013)

    Google Scholar 

  41. Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34704-7_5

    Chapter  MATH  Google Scholar 

  42. Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Control Inf. Theory 15(2), 159–166 (1986)

    MathSciNet  MATH  Google Scholar 

  43. Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962)

    Article  MathSciNet  Google Scholar 

  44. Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MathSciNet  Google Scholar 

  45. Rivière, L., Najm, Z., Rauzy, P., Danger, J., Bringer, J., Sauvage, L.: High precision fault injections on the instruction cache of armv7-m architectures. In: IEEE International Symposium on Hardware Oriented Security and Trust. pp. 62–67. IEEE Computer Society, Washington, DC, USA (May 2015)

    Google Scholar 

  46. Roth, J., Karatsiolis, E., Krämer, J.: Classic McEliece implementation with low memory footprint. In: Liardet, P.-Y., Mentens, N. (eds.) CARDIS 2020. LNCS, vol. 12609, pp. 34–49. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-68487-7_3

    Chapter  Google Scholar 

  47. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)

    Article  MathSciNet  Google Scholar 

  48. Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0019850

    Chapter  Google Scholar 

  49. Taghavi, M.H., Shokrollahi, A., Siegel, P.H.: Efficient implementation of linear programming decoding. IEEE Trans. Inf. Theory 57(9), 5960–5982 (2011)

    Article  MathSciNet  Google Scholar 

  50. Tanatmis, A., Ruzika, S., Hamacher, H.W., Punekar, M., Kienle, F., Wehn, N.: A separation algorithm for improved lp-decoding of linear block codes. IEEE Trans. Inf. Theory 56(7), 3277–3289 (2010)

    Article  MathSciNet  Google Scholar 

  51. Vaidya, P.M.: Speeding-up linear programming using fast matrix multiplication (extended abstract). In: Annual Symposium on Foundations of Computer Science, pp. 332–337. IEEE Computer Society, Research Triangle Park, North Carolina, USA (October 1989)

    Google Scholar 

  52. Virtanen, P., et al.: SciPy 1.0: fundamental algorithms for scientific computing in python. Nature Methods 17(3), 261–272 (2020)

    Google Scholar 

  53. Vontobel, P.O.: Interior-point algorithms for linear-programming decoding. In: Information Theory and Applications Workshop, pp. 433–437. IEEE, San Diego, CA, USA (January 2008)

    Google Scholar 

  54. Wadayama, T.: An LP decoding algorithm based on primal path-following interior point method. In: International Symposium on Information Theory, pp. 389–393. IEEE, Seoul, Korea (June 2009)

    Google Scholar 

Download references

Acknowledgments

This work was carried out in the framework of the FUIAAP22-Project PILAS supported by Bpifrance. V-F. Drăgoi was supported by a grant of the Romanian Ministry of Education and Research, CNCS - UEFISCDI, project number PN-III-P1-1.1-PD-2019-0285, within PNCDI III.

Author information

Authors and Affiliations

  1. Univ Lyon, UJM-Saint-Etienne, CNRS, Laboratoire Hubert Curien UMR 5516, 42023, Saint-Etienne, France

    Pierre-Louis Cayrel & Lilian Bossuet

  2. Univ Grenoble Alpes, CNRS, Grenoble INP, TIMA, 38000, Grenoble, France

    Brice Colombier

  3. Faculty of Exact Sciences, Aurel Vlaicu University, Arad, Romania

    Vlad-Florin Drăgoi

  4. LITIS, University of Rouen Normandie, Mont-Saint-Aignan, France

    Vlad-Florin Drăgoi

  5. IMT, Mines Saint-Etienne, Centre CMP, Equipe Commune CEA Tech-Mines Saint-Etienne, 13541, Gardanne, France

    Alexandre Menu

Authors
  1. Pierre-Louis Cayrel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Brice Colombier
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vlad-Florin Drăgoi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alexandre Menu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lilian Bossuet
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vlad-Florin Drăgoi .

Editor information

Editors and Affiliations

  1. Inria, Paris, France

    Anne Canteaut

  2. UCLouvain, Louvain-la-Neuve, Belgium

    François-Xavier Standaert

A Other Instruction Sets

A Other Instruction Sets

Here are a few examples of possible corruptions of the exclusive-OR instruction in other instruction sets than the one we considered in the article. ARMv7 In the ARMv7Footnote 11 instruction set, the exclusive-OR instruction (EORS.W) can be corrupted into a saturated addition instruction (QADD) as shown in Fig. 10.

Fig. 10.
figure 10

Fault by bit-sets on the ARMv7 exclusive-OR instruction

Full size image

PIC. In the PICFootnote 12 instruction set, the exclusive-OR instruction (XORWF) can be corrupted into an addition instruction (ADDWF) as shown in Fig. 11.

Fig. 11.
figure 11

Fault by bit-set on the PIC exclusive-OR instruction

Full size image

RISC-V Compressed. In the RISC-V compressedFootnote 13 instruction set, the exclusive-OR instruction (C.XOR) can be corrupted into an addition instruction (C.ADDW) as shown in Fig. 12.

Fig. 12.
figure 12

RISC-V encoding of the exclusive-OR instruction and a possible fault feasible by bit-set

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cayrel, PL., Colombier, B., Drăgoi, VF., Menu, A., Bossuet, L. (2021). Message-Recovery Laser Fault Injection Attack on the Classic McEliece Cryptosystem. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12697. Springer, Cham. https://doi.org/10.1007/978-3-030-77886-6_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-77886-6_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-77885-9

  • Online ISBN: 978-3-030-77886-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation