Abstract
In this paper, we present a singletrace attack on a BIKE CortexM4 implementation proposed by Chen et al. at CHES 2021. BIKE is a keyencapsulation mechanism, candidate to the NIST postquantum cryptography standardisation process. We attack by exploiting the rotation function that circularly shifts an array depending on the private key. Chen et al. implemented two versions of this function, one in C and one in assembly. Our attack uses subtraces clustering combined with a combinatorial attack to recover the full private key. We obtained a high clustering accuracy in our experiments, and we provide ways to deal with the errors. We are able to recover all the private keys for the C implementation, and while the assembly version is harder to attack using our technique, we still manage to reduce BIKE Level1 security from 128 to 65 bits for a significant proportion of the private keys.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aguilar Melchor, C., et al.: BIKE. Round 3 Submission to the NIST PostQuantum Cryptography Call, vol. 4.2 (2021)
Berlekamp, E., McEliece, R., Van Tilborg, H.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theory 24(3), 384–386 (1978)
Agathe, C., Nicolas, A., Tania, R., Benoît, G.: Github repository scabike. https://github.com/benoitgerard/scabike
Chen, M.S., Chou, T., Krausz, M.: Optimizing bike for the intel Haswell and ARM CortexM4. In: IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 97–124 (2021)
Chou, T.: QcBits: constanttime smallkey codebased cryptography. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 280–300. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662531402_14
Drucker, N., Gueron, S., Kostic, D.: QCMDPC decoders with several shades of gray. In: Ding, J., Tillich, J.P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 35–50. Springer, Cham (2020). https://doi.org/10.1007/9783030442231_3
Gallager, R.: Lowdensity paritycheck codes. IRE Trans. Inf. Theory 8(1), 21–28 (1962)
Gierlichs, B., LemkeRust, K., Paar, C.: Templates vs. stochastic methods. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 15–29. Springer, Heidelberg (2006). https://doi.org/10.1007/11894063_2
Horlemann, A.L., Puchinger, S., Renner, J., Schamberger, T., WachterZeh, A.: Informationset decoding with hints. In: WachterZeh, A., Bartz, H., Liva, G. (eds.) CodeBased Cryptography Workshop, vol. 13150, pp. 60–83. Springer, Cham (2021). https://doi.org/10.1007/9783030983659_4
MacQueen, J.: Classification and analysis of multivariate observations. In: 5th Berkeley Symposium on Mathematical Statistics Probability, pp. 281–297 (1967)
Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.: MDPCMcEliece: new McEliece variants from moderate density paritycheck codes. In: 2013 IEEE International Symposium on Information Theory, pp. 2069–2073. IEEE (2013)
RichterBrockmann, J., Chen, M.S., Ghosh, S., Güneysu, T.: Racing BIKE: improved polynomial multiplication and inversion in hardware. IACR Trans. Cryptographic Hardware Embed. Syst. 2022(1), 557–588 (2021)
Rossi, M., Hamburg, M., Hutter, M., Marson, M.E.: A sidechannel assisted cryptanalytic attack against QcBits. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 3–23. Springer, Cham (2017). https://doi.org/10.1007/9783319667874_1
Reinders, A.H., Misoczki, R., Ghosh, S., Sastry, M.R.: Efficient bike hardware design with constanttime decoder. In: 2020 IEEE International Conference on Quantum Computing and Engineering (QCE), pp. 197–204. IEEE (2020)
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and publickey cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Shor, P.W.: Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Sim, B.Y., Kwon, J., Choi, K.Y., Cho, J., Park, A., Han, D.G.: Novel sidechannel attacks on quasicyclic codebased cryptography. IACR Trans. Cryptographic Hardware Embed. Syst. 180–212 (2019)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Analysis of the ISD Complexity
A Analysis of the ISD Complexity
We first formalize the instance of the syndrome decoding problem we want to solve. Let \(\mathcal {C}\) be the code that admits as a generator matrix the public key \((\textbf{1}, h)\) and let H be a paritycheck matrix of this code. By definition we know that the vector \((h_0, h_1)\) is a codeword of \(\mathcal {C}\), hence \(H(h_0, h_1)^T = 0\). This gives us an instance of the SD problem [2] with H of size \(r \times n\) over \(\mathbb {F}_2\), where \(n=2r\), that admits the private key \((h_0, h_1)\) of weight w as a solution.
To solve this instance, we use Prange’s information set decoding (ISD) algorithm. The principle is as follows: in each iteration, we choose a subset of r columns among n (called an information set), and we solve the linear system \(H'e^T = 0\), where \(H'\) is the square submatrix of H obtained by extracting the r chosen columns. If all the nonzero coordinates of the desired solution \((h_0, h_1)\) are in the set of the chosen columns, then we obtain a solution to our ISD instance, otherwise we obtain a random solution and try again with another subset. The probability of success is \(\frac{{r \atopwithdelims ()w}}{{n \atopwithdelims ()w}}\), and this is what we aim to improve using the additional information from our sidechannel analysis.
The information we obtain is the same as the hints described in [HPR+21, Section 4]. The only difference being that we use a paritycheck matrix instead of a generator matrix: we study how well this algorithm behaves compare to the classical Prange algorithm in our particular case. We use the same definitions as in [HPR+21]: let \(\mathcal {W}\) be the set \(\{1, \dots , n\}\) that is partitioned in subsets \(\mathcal {W}_i\). We assume that we know the weight of the secret \((h_0, h_1)\) restricted to each subset \(\mathcal {W}_i\). Recall that in our case, each nonzero position of \((h_0, h_1)\) is encoded by \(l = \lceil log_2(r) \rceil \) bits. If we suppose that we recover the \(l_1\) most significant bits of each position, then the set \(\mathcal {W}\) is partitioned into \(N = 2 \lceil \frac{r}{2^{ll_1}} \rceil \) subsets \(\mathcal {W}_i\) of cardinality \(2^{ll_1}\), except for the two subsets covering the highest coordinates in both \(h_i\), which are of size \(r \mod 2^{ll_1}\). From our sidechannel analysis we know the weight \(t_i\) of the private key restricted to each subset \(\mathcal {W}_i\).
To improve the probability of success of the Prange algorithm, we changed our strategy of choosing the information set. We tested two different approaches:

1.
Randomly choose the information set among the \(\mathcal {W}_i\) corresponding to values of \(t_i \ne 0\) (we refer to this technique as the classical Prange algorithm in the following),

2.
Fix the number of columns chosen in each \(\mathcal {W}_i\) depending on the value of \(t_i\).
Theorem 1
Let \(\mathcal {I}\) be the set \(\{i  t_i \ne 0\}\), and let \(c = \sum \limits _{i \in \mathcal {I}} \mathcal {W}_i\). The probability of success of the classical Prange algorithm using hints from our sidechannel analysis is:
The second approach is the one described in [HPR+21], adapted to work with paritycheck matrices. We fix a vector \(x \in \mathbb {Z}^N\) such that \(x_i \geqslant t_i\) and \(\sum \limits _i x_i = r\). Then, to sample an information set, we choose for each i a random subset \(\mathcal {X}_i \subseteq \mathcal {W}_i\) of cardinality \(x_i\), and then proceed to solve the linear system as in the Prange algorithm.
Theorem 2
[HPR+21] The probability of success of the Prange algorithm using hints from our sidechannel analysis is:
The last step to evaluate the complexity of this algorithm is to choose the best vector x (i.e. the one that maximizes the success probability of the algorithm). We use a greedy approach as in [HPR+21] to perform this step:

Initially, choose \(x_i = \mathcal {W}_i\) if \(t_i \ne 0\) and \(x_i = 0\) otherwise.

While \(\sum \limits _i x_i > r\), decrease by one the \(x_i\) that reduces the probability of success the least.
[HPR+21, Appendix E] gives a proof of why this approach yields the optimal choice for x.
Remark 5
If after the initial step of the algorithm, we have \(\sum \limits _i x_i \leqslant r\), then the probability of success of the algorithm is 1.
Among the BIKE private keys, some are easier to recover than others using this technique. Indeed, the more \(t_i\) equals to 0 we have, the better the attack will perform, since it will allow to choose more positions in the subsets containing at least one nonzero position. For this reason, we compute the complexity of our attack by averaging the complexities for 10 random private keys. We run the following experiment: for BIKElevel1 parameter set (\(r=12323, w=142\)), we compute the probability of success of the Prange algorithm for different values of \(l_1\), i. e. the number of recovered bits among the 14 bits used to encode each coordinate for this parameter.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Cheriere, A., Aragon, N., Richmond, T., Gérard, B. (2023). BIKE KeyRecovery: Combining Power Consumption Analysis and InformationSet Decoding. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13905. Springer, Cham. https://doi.org/10.1007/9783031334887_27
Download citation
DOI: https://doi.org/10.1007/9783031334887_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783031334870
Online ISBN: 9783031334887
eBook Packages: Computer ScienceComputer Science (R0)