Skip to main content

BIKE Key-Recovery: Combining Power Consumption Analysis and Information-Set Decoding

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13905))

Included in the following conference series:

Abstract

In this paper, we present a single-trace attack on a BIKE Cortex-M4 implementation proposed by Chen et al. at CHES 2021. BIKE is a key-encapsulation mechanism, candidate to the NIST post-quantum cryptography standardisation process. We attack by exploiting the rotation function that circularly shifts an array depending on the private key. Chen et al.  implemented two versions of this function, one in C and one in assembly. Our attack uses subtraces clustering combined with a combinatorial attack to recover the full private key. We obtained a high clustering accuracy in our experiments, and we provide ways to deal with the errors. We are able to recover all the private keys for the C implementation, and while the assembly version is harder to attack using our technique, we still manage to reduce BIKE Level-1 security from 128 to 65 bits for a significant proportion of the private keys.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Aguilar Melchor, C., et al.: BIKE. Round 3 Submission to the NIST Post-Quantum Cryptography Call, vol. 4.2 (2021)

    Google Scholar 

  2. Berlekamp, E., McEliece, R., Van Tilborg, H.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theory 24(3), 384–386 (1978)

    Google Scholar 

  3. Agathe, C., Nicolas, A., Tania, R., Benoît, G.: Github repository sca-bike. https://github.com/benoitgerard/sca-bike

  4. Chen, M.S., Chou, T., Krausz, M.: Optimizing bike for the intel Haswell and ARM Cortex-M4. In: IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 97–124 (2021)

    Google Scholar 

  5. Chou, T.: QcBits: constant-time small-key code-based cryptography. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 280–300. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_14

    Chapter  Google Scholar 

  6. Drucker, N., Gueron, S., Kostic, D.: QC-MDPC decoders with several shades of gray. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 35–50. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_3

    Chapter  MATH  Google Scholar 

  7. Gallager, R.: Low-density parity-check codes. IRE Trans. Inf. Theory 8(1), 21–28 (1962)

    Article  MathSciNet  MATH  Google Scholar 

  8. Gierlichs, B., Lemke-Rust, K., Paar, C.: Templates vs. stochastic methods. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 15–29. Springer, Heidelberg (2006). https://doi.org/10.1007/11894063_2

    Chapter  Google Scholar 

  9. Horlemann, A.L., Puchinger, S., Renner, J., Schamberger, T., Wachter-Zeh, A.: Information-set decoding with hints. In: Wachter-Zeh, A., Bartz, H., Liva, G. (eds.) Code-Based Cryptography Workshop, vol. 13150, pp. 60–83. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-98365-9_4

    Chapter  Google Scholar 

  10. MacQueen, J.: Classification and analysis of multivariate observations. In: 5th Berkeley Symposium on Mathematical Statistics Probability, pp. 281–297 (1967)

    Google Scholar 

  11. Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: 2013 IEEE International Symposium on Information Theory, pp. 2069–2073. IEEE (2013)

    Google Scholar 

  12. Richter-Brockmann, J., Chen, M.-S., Ghosh, S., Güneysu, T.: Racing BIKE: improved polynomial multiplication and inversion in hardware. IACR Trans. Cryptographic Hardware Embed. Syst. 2022(1), 557–588 (2021)

    Article  Google Scholar 

  13. Rossi, M., Hamburg, M., Hutter, M., Marson, M.E.: A side-channel assisted cryptanalytic attack against QcBits. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 3–23. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_1

    Chapter  Google Scholar 

  14. Reinders, A.H., Misoczki, R., Ghosh, S., Sastry, M.R.: Efficient bike hardware design with constant-time decoder. In: 2020 IEEE International Conference on Quantum Computing and Engineering (QCE), pp. 197–204. IEEE (2020)

    Google Scholar 

  15. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MathSciNet  MATH  Google Scholar 

  16. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)

    Article  MathSciNet  MATH  Google Scholar 

  17. Sim, B.Y., Kwon, J., Choi, K.Y., Cho, J., Park, A., Han, D.G.: Novel side-channel attacks on quasi-cyclic code-based cryptography. IACR Trans. Cryptographic Hardware Embed. Syst. 180–212 (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Agathe Cheriere or Nicolas Aragon .

Editor information

Editors and Affiliations

A Analysis of the ISD Complexity

A Analysis of the ISD Complexity

We first formalize the instance of the syndrome decoding problem we want to solve. Let \(\mathcal {C}\) be the code that admits as a generator matrix the public key \((\textbf{1}, h)\) and let H be a parity-check matrix of this code. By definition we know that the vector \((h_0, h_1)\) is a codeword of \(\mathcal {C}\), hence \(H(h_0, h_1)^T = 0\). This gives us an instance of the SD problem [2] with H of size \(r \times n\) over \(\mathbb {F}_2\), where \(n=2r\), that admits the private key \((h_0, h_1)\) of weight w as a solution.

To solve this instance, we use Prange’s information set decoding (ISD) algorithm. The principle is as follows: in each iteration, we choose a subset of r columns among n (called an information set), and we solve the linear system \(H'e^T = 0\), where \(H'\) is the square submatrix of H obtained by extracting the r chosen columns. If all the nonzero coordinates of the desired solution \((h_0, h_1)\) are in the set of the chosen columns, then we obtain a solution to our ISD instance, otherwise we obtain a random solution and try again with another subset. The probability of success is \(\frac{{r \atopwithdelims ()w}}{{n \atopwithdelims ()w}}\), and this is what we aim to improve using the additional information from our side-channel analysis.

The information we obtain is the same as the hints described in [HPR+21, Section 4]. The only difference being that we use a parity-check matrix instead of a generator matrix: we study how well this algorithm behaves compare to the classical Prange algorithm in our particular case. We use the same definitions as in [HPR+21]: let \(\mathcal {W}\) be the set \(\{1, \dots , n\}\) that is partitioned in subsets \(\mathcal {W}_i\). We assume that we know the weight of the secret \((h_0, h_1)\) restricted to each subset \(\mathcal {W}_i\). Recall that in our case, each nonzero position of \((h_0, h_1)\) is encoded by \(l = \lceil log_2(r) \rceil \) bits. If we suppose that we recover the \(l_1\) most significant bits of each position, then the set \(\mathcal {W}\) is partitioned into \(N = 2 \lceil \frac{r}{2^{l-l_1}} \rceil \) subsets \(\mathcal {W}_i\) of cardinality \(2^{l-l_1}\), except for the two subsets covering the highest coordinates in both \(h_i\), which are of size \(r \mod 2^{l-l_1}\). From our side-channel analysis we know the weight \(t_i\) of the private key restricted to each subset \(\mathcal {W}_i\).

To improve the probability of success of the Prange algorithm, we changed our strategy of choosing the information set. We tested two different approaches:

  1. 1.

    Randomly choose the information set among the \(\mathcal {W}_i\) corresponding to values of \(t_i \ne 0\) (we refer to this technique as the classical Prange algorithm in the following),

  2. 2.

    Fix the number of columns chosen in each \(\mathcal {W}_i\) depending on the value of \(t_i\).

Theorem 1

Let \(\mathcal {I}\) be the set \(\{i | t_i \ne 0\}\), and let \(c = \sum \limits _{i \in \mathcal {I}} |\mathcal {W}_i|\). The probability of success of the classical Prange algorithm using hints from our side-channel analysis is:

$$\frac{{r \atopwithdelims ()w}}{{c \atopwithdelims ()w}}.$$

The second approach is the one described in [HPR+21], adapted to work with parity-check matrices. We fix a vector \(x \in \mathbb {Z}^N\) such that \(x_i \geqslant t_i\) and \(\sum \limits _i x_i = r\). Then, to sample an information set, we choose for each i a random subset \(\mathcal {X}_i \subseteq \mathcal {W}_i\) of cardinality \(x_i\), and then proceed to solve the linear system as in the Prange algorithm.

Theorem 2

[HPR+21] The probability of success of the Prange algorithm using hints from our side-channel analysis is:

$$\prod \limits _{i=1}^N \frac{{x_i \atopwithdelims ()t_i}}{{|\mathcal {W}_i| \atopwithdelims ()t_i}}.$$

The last step to evaluate the complexity of this algorithm is to choose the best vector x (i.e. the one that maximizes the success probability of the algorithm). We use a greedy approach as in [HPR+21] to perform this step:

  • Initially, choose \(x_i = |\mathcal {W}_i|\) if \(t_i \ne 0\) and \(x_i = 0\) otherwise.

  • While \(\sum \limits _i x_i > r\), decrease by one the \(x_i\) that reduces the probability of success the least.

[HPR+21, Appendix E] gives a proof of why this approach yields the optimal choice for x.

Remark 5

If after the initial step of the algorithm, we have \(\sum \limits _i x_i \leqslant r\), then the probability of success of the algorithm is 1.

Among the BIKE private keys, some are easier to recover than others using this technique. Indeed, the more \(t_i\) equals to 0 we have, the better the attack will perform, since it will allow to choose more positions in the subsets containing at least one nonzero position. For this reason, we compute the complexity of our attack by averaging the complexities for 10 random private keys. We run the following experiment: for BIKE-level-1 parameter set (\(r=12323, w=142\)), we compute the probability of success of the Prange algorithm for different values of \(l_1\), i. e. the number of recovered bits among the 14 bits used to encode each coordinate for this parameter.

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cheriere, A., Aragon, N., Richmond, T., Gérard, B. (2023). BIKE Key-Recovery: Combining Power Consumption Analysis and Information-Set Decoding. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13905. Springer, Cham. https://doi.org/10.1007/978-3-031-33488-7_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-33488-7_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-33487-0

  • Online ISBN: 978-3-031-33488-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics