Skip to main content

A Side-Channel Attack Against Classic McEliece When Loading the Goppa Polynomial

  • Conference paper
  • First Online:
Progress in Cryptology - AFRICACRYPT 2023 (AFRICACRYPT 2023)

Abstract

The NIST Post-Quantum Cryptography (PQC) standardization challenge was launched in December 2016 and recently, has released its first results. The whole process has given a considerable dynamic to the research in post-quantum cryptography, in particular to practical aspects, such as the study of the vulnerabilities of post-quantum algorithms to side-channel attacks. In this paper, we present a realistic template attack against the reference implementation of Classic McEliece which is a finalist of the 4th round of NIST PQC standardization. This profiled attack allowed us to accurately find the Hamming weight of each coefficient of the Goppa polynomial. With only one decryption, this result enables us first, to find directly the Goppa polynomial in the case of weak keys with the method of Loidreau and Sendrier (P. Loidreau and N. Sendrier, “Weak keys in the McEliece public-key cryptosystem”, IEEE Trans. Inf. Theory, 2001). Then, in the case of “slightly less weak keys”, we also find this polynomial with an exhaustive search with low complexity. Finally, we propose the best complexity reduction for exhaustive Goppa polynomial search on \(\mathbb {F}_{2^m}\). We attack the constant-time implementation of Classic McEliece proposed by Chen et al. This implementation, which follows the NIST specification, is realized on a stm32f4-Discovery microcontroller with a 32-bit ARM Cortex-M4.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.PDF.

  2. 2.

    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.PDF.

  3. 3.

    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.PDF.

  4. 4.

    https://csrc.nist.gov/Projects/post-quantum-cryptography/workshops-and-timeline/pqc-seminars.

References

  1. Archambeau, C., Peeters, E., Standaert, F.-X., Quisquater, J.-J.: Template attacks in principal subspaces. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 1–14. Springer, Heidelberg (2006). https://doi.org/10.1007/11894063_1

    Chapter  Google Scholar 

  2. Avanzi, R., Hoerder, S., Page, D., Tunstall, M.: Side-channel attacks on the McEliece and Niederreiter public-key cryptosystems. J. Cryptograh. Eng. 1(4), 271–281 (2011)

    Article  Google Scholar 

  3. Bardet, M., Chaulet, J., Dragoi, V., Otmani, A., Tillich, J.-P.: Cryptanalysis of the McEliece public key cryptosystem based on polar codes. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 118–143. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_9

    Chapter  Google Scholar 

  4. Bernstein, D.J., Chou, T., Schwabe, P.: McBits: fast constant-time code-based cryptography. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 250–272. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_15

    Chapter  Google Scholar 

  5. Bernstein, D.J., et al.: Classic McEliece: conservative code-based cryptography. In: NIST submissions (2017)

    Google Scholar 

  6. Biham, E.: A fast new DES implementation in software. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 260–272. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052352

    Chapter  MATH  Google Scholar 

  7. Berlekamp, E., McEliece, R., Van Tilborg, H.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theory 24(3), 384–386 (1978)

    Article  MATH  Google Scholar 

  8. Cayrel, P.-L., Colombier, B., Drăgoi, V.-F., Menu, A., Bossuet, L.: Message-recovery laser fault injection attack on the Classic McEliece cryptosystem. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 438–467. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_15

    Chapter  Google Scholar 

  9. Chizhov, I.V., Borodin, M.A.: Effective attack on the McEliece cryptosystem based on Reed-Muller codes. Discrete Appl. Math. 24(5), 273–280 (2014)

    MathSciNet  MATH  Google Scholar 

  10. Chen, M.-S., Chou, T.: Classic McEliece on the ARM cortex-M4. IACR Trans. Crypt. Hardware Embed. Syst., 125–148 (2021)

    Google Scholar 

  11. Cayrel, P.-L., Dusart, P.: McEliece/Niederreiter PKC: sensitivity to fault injection. In: International Conference on Future Information Technology, Busan, South Korea (2010)

    Google Scholar 

  12. Chen, C., Eisenbarth, T., von Maurich, I., Steinwandt, R.: Horizontal and vertical side channel analysis of a McEliece cryptosystem. IEEE Trans. Inf. Forensics Secur. 11(6), 1093–1105 (2016)

    Article  Google Scholar 

  13. Chou, T.: McBits revisited. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 213–231. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_11

    Chapter  Google Scholar 

  14. Chou, T., et al.: Classic McEliece: conservative code-based cryptography 10 October 2020 (2020)

    Google Scholar 

  15. Chen, Z., Ma, Y., Jing, J.: Low-cost shuffling countermeasures against side-channel attacks for NTT-based post-quantum cryptography. IEEE Trans. Comput.-Aided Design Integr. Circ. Syst. 42(1), 322–326 (2022)

    Article  Google Scholar 

  16. Chen, L., Moody, D., Liu, Y.: NIST post-quantum cryptography standardization (2017)

    Google Scholar 

  17. Colombier, B., Dragoi, V.-F., Cayrel, P.-L., Grosso, V.: Physical security of code-based cryptosystems based on the syndrome decoding problem. In: Cryptarchi Workshop, Porquerolles, France (2022)

    Google Scholar 

  18. Colombier, B., Drăgoi, V.-F., Cayrel, P.-L., Grosso, V.: Profiled side-channel attack on cryptosystems based on the binary syndrome decoding problem. IEEE Trans. Inf. Forensics Secur. (2022)

    Google Scholar 

  19. Colombier, B., Grosso, V., Cayrel, P.-L., Drăgoi, V.-F.: Horizontal correlation attack on classic McEliece. Cryptology ePrint Archive, Paper 2023/546 (2023)

    Google Scholar 

  20. Couvreur, A., Gaborit, P., Gauthier-Umaña, V., Otmani, A., Tillich, J.-P.: Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes. Designs Codes Cryptogr. 73(2), 641–666 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  21. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_3

    Chapter  Google Scholar 

  22. Deutsch, D., Jozsa, R.: Rapid solution of problems by quantum computation. Proc. R. Soc. London Ser. A: Math. Phys. Sci. 439(1907), 553–558 (1992)

    Article  MathSciNet  MATH  Google Scholar 

  23. Eisenbarth, T., Paar, C., Weghenkel, B.: Building a side channel based disassembler. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds.) Transactions on Computational Science X. LNCS, vol. 6340, pp. 78–99. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17499-5_4

    Chapter  Google Scholar 

  24. Feynman, R.P.: Simulating physics with computers. In: Feynman and Computation, pp. 133–153. CRC Press (2018)

    Google Scholar 

  25. Gyongyosi, L., Imre, S.: A survey on quantum computing technology. Comput. Sci. Rev. 31, 51–71 (2019)

    Article  MathSciNet  Google Scholar 

  26. Guo, Q., Johansson, A., Johansson, T.: A key-recovery side-channel attack on classic McEliece implementations. IACR Trans. Cryptogr. Hardw. Embed. Syst. 800–827 (2022)

    Google Scholar 

  27. Gierlichs, B., Lemke-Rust, K., Paar, C.: Templates vs. stochastic methods. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 15–29. Springer, Heidelberg (2006). https://doi.org/10.1007/11894063_2

    Chapter  Google Scholar 

  28. Grosso, V., Cayrel, P., Colombier, B., Dragoi, V.: Punctured syndrome decoding problem - efficient side-channel attacks against classic McEliece. In: Kavun, E.B., Pehl, M. (eds.) COSADE 2023. LNCS, vol. 13979, pp. 170–192. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-29497-6_9

    Chapter  Google Scholar 

  29. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219 (1996)

    Google Scholar 

  30. Heyse, S., Moradi, A., Paar, C.: Practical power analysis attacks on software implementations of McEliece. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 108–125. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_9

    Chapter  Google Scholar 

  31. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  32. Kirshanova, E., May, A.: Decoding McEliece with a hint - secret Goppa key parts reveal everything. In: Galdi, C., Jarecki, S. (eds.) SCN 2022. LNCS, vol. 13409, pp. 3–20. Springer International Publishing, Cham (2022). https://doi.org/10.1007/978-3-031-14791-3_1

    Chapter  Google Scholar 

  33. Lahr, N., Niederhagen, R., Petri, R., Samardjiska, S.: Side channel information set decoding using iterative chunking. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 881–910. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_29

    Chapter  Google Scholar 

  34. Larsen, M.V., Guo, X., Breum, C.R., Neergaard-Nielsen, J.S., Andersen, U.L.: Deterministic multi-mode gates on a scalable photonic quantum computing platform. Nat. Phys. 17(9), 1018–1023 (2021)

    Article  Google Scholar 

  35. Loidreau, P., Sendrier, N.: Weak keys in the McEliece publickey cryptosystem. IEEE Trans. Inf. Theory 47(3), 1207–1211 (2001)

    Article  MATH  Google Scholar 

  36. McEliece, R.J.: A public-key cryptosystem based on algebraic. Coding Thv 4244, 114–116 (1978)

    Google Scholar 

  37. Misoczki, R., Tillich, J.-P., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from Moderate Density Parity-Check codes. In: Proceedings of the IEEE International Symposium Information Theory - ISIT, pp. 2069–2073 (2013)

    Google Scholar 

  38. Molter, H.G., Stöttinger, M., Shoufan, A., Strenzke, F.: A simple power analysis attack on a McEliece cryptoprocessor. J. Cryptogr. Eng. 1(1), 29–36 (2011)

    Article  Google Scholar 

  39. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards, vol. 31. Springer, Cham (2008). https://doi.org/10.1007/978-0-387-38162-6

    Book  MATH  Google Scholar 

  40. MacWilliams, F.J., Sloane, N.J.A.: The theory of error correcting codes, vol. 16. Elsevier, Amsterdam (1977)

    MATH  Google Scholar 

  41. Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Contr. Inform. Theory 15(2), 157–166 (1986)

    MathSciNet  MATH  Google Scholar 

  42. O’Flynn, C., Chen, Z.D.: ChipWhisperer: an open-source platform for hardware embedded security research. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 243–260. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10175-0_17

    Chapter  Google Scholar 

  43. Otmani, A., Kalachi, H.T.: Square code attack on a modified Sidelnikov cryptosystem. In: El Hajji, S., Nitaj, A., Carlet, C., Souidi, E.M. (eds.) C2SI 2015. LNCS, vol. 9084, pp. 173–183. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18681-8_14

    Chapter  Google Scholar 

  44. Ravi, P., Chattopadhyay, A., D’Anvers, J.P., Baksi, A.: Side-channel and Fault-injection attacks over lattice-based postquantum schemes (Kyber, Dilithium): survey and new results. Cryptology ePrint Archive, Paper 2022/737. 2022

    Google Scholar 

  45. Rechberger, C., Oswald, E.: Practical template attacks. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31815-6_35

    Chapter  Google Scholar 

  46. Saarinen, M.-J.O.: WiP: applicability of ISO standard side-channel leakage tests to NIST post-quantum cryptography. In: 2022 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 69–72 (2022)

    Google Scholar 

  47. Seck, B., et al.: Key-recovery by side-channel information on the matrix-vector product in code-based cryptosystems. In: International Conference on Information Security and Cryptology, Seoul, South Korea (2022)

    Google Scholar 

  48. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)

    Google Scholar 

  49. Sidelnikov, V.M.: A public-key cryptosytem based on Reed-Muller codes. Discrete Appl. Math. 4(3), 191–207 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  50. Shrestha, S.R., Kim, Y.-S.: New McEliece cryptosystem based on polar codes as a candidate for post-quantum cryptography. In: 2014 14th International Symposium on Communications and Information Technologies (ISCIT), pp. 368–372. IEEE (2014)

    Google Scholar 

  51. Takeda, S., Furusawa, A.: Toward large-scale fault-tolerant universal photonic quantum computing. APL Photon. 4(6), 060902 (2019)

    Google Scholar 

  52. Wang, W., Szefer, J., Niederhagen, R.: FPGA-based Niederreiter cryptosystem using binary Goppa codes. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 77–98. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_4

    Chapter  Google Scholar 

Download references

Acknowledgments

The author Jean Belo Klamti was supported by a grant of the Ripple Impact Fund/Silicon Valley Community Foundation (Grant 2018-188473).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Boly Seck .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Seck, B. et al. (2023). A Side-Channel Attack Against Classic McEliece When Loading the Goppa Polynomial. In: El Mrabet, N., De Feo, L., Duquesne, S. (eds) Progress in Cryptology - AFRICACRYPT 2023. AFRICACRYPT 2023. Lecture Notes in Computer Science, vol 14064. Springer, Cham. https://doi.org/10.1007/978-3-031-37679-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-37679-5_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-37678-8

  • Online ISBN: 978-3-031-37679-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics