Side Channels in the McEliece PKC

  • Falko Strenzke
  • Erik Tews
  • H. Gregor Molter
  • Raphael Overbeck
  • Abdulhadi Shoufan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5299)


The McEliece public key cryptosystem (PKC) is regarded as secure in the presence of quantum computers because no efficient quantum algorithm is known for the underlying problems, which this cryptosystem is built upon. As we show in this paper, a straightforward implementation of this system may feature several side channels. Specifically, we present a Timing Attack which was executed successfully against a software implementation of the McEliece PKC. Furthermore, the critical system components for key generation and decryption are inspected to identify channels enabling power and cache attacks. Implementation aspects are proposed as countermeasures to face these attacks.


side channel attack timing attack post quantum cryptography 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Miller, V.S.: Use of Elliptic Curves in Cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  4. 4.
    ElGamal, T.: A Public Key Cryptosystem and A Signature Based on Discrete Logarims. IEEE Transactions on Information Theory (1985)Google Scholar
  5. 5.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings, 35-th Annual Symposium on Foundation of Computer Science (1994)Google Scholar
  6. 6.
    Shor, P.W.: Polynomial time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 26(5), 1484–1509 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Proos, J., Zalka, C.: Shor’s discrete logarithm quantum algorithm for elliptic curves, Technical Report quant-ph/0301141, arXiv (2006)Google Scholar
  8. 8.
    Merkle, R.: A Certified Digital Signature. In: Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology, pp. 218–238 (1989)Google Scholar
  9. 9.
    Buchmann, J., Garcia, L., Dahmen, E., Doering, M., Klintsevich, E.: CMSS-An Improved Merkle Signature Scheme. In: 7th International Conference on Cryptology in India-Indocrypt, vol. 6, pp. 349–363 (2006)Google Scholar
  10. 10.
    McEliece, R.J.: A public key cryptosystem based on algebraic coding theory. DSN progress report 42-44, 114–116 (1978)Google Scholar
  11. 11.
    Korbara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems - conversions for McEliece PKC. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992. Springer, Heidelberg (2001)Google Scholar
  12. 12.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefzbMATHGoogle Scholar
  13. 13.
    Kocher, P.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology, pp. 104–113 (1996)Google Scholar
  14. 14.
    Kocher, P.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  15. 15.
    Tsunoo, Y., Tsujihara, E., Minematsu, K., Miyauchi, H.: Cryptanalysis of Block Ciphers Implemented on Computers with Cache. In: International Symposium on Information Theory and Applications, pp. 803–806 (2002)Google Scholar
  16. 16.
    Schindler, W., Lemke, K., Paar, C.: A Stochastic Model for Differential Side Channel Cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 30–46. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    MacWilliams, F.J., Sloane, N.J.A.: The theory of error correcting codes. North-Holland, Amsterdam (1997)zbMATHGoogle Scholar
  18. 18.
    Goppa, V.D.: A new class of linear correcting codes. Problems of Information Transmission 6, 207–212 (1970)MathSciNetzbMATHGoogle Scholar
  19. 19.
    Engelbert, D., Overbeck, R., Schmidt, A.: A Summary of McEliece-Type Cryptosystems and their Security. Journal of Mathematical Cryptology (2006) (accepted for publication)Google Scholar
  20. 20.
    Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: application to primitive narrow-sense BCH-codes of length 511. IEEE Transactions on Information Theory 44(1), 367–378 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Pointcheval, D.: Chosen-chipertext security for any one-way cryptosystem. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 129–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. 22.
    Percival, C.: Cache missing for fun and profit,
  23. 23.
    Schindler, W., Acıiçmez, O.: A Vulnerability in RSA Implementations due to Instruction Cache Analysis and its Demonstration on OpenSSL. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, Springer, Heidelberg (2008)Google Scholar
  24. 24.
    Acıiçmez, O., Seifert, J.P., Koç, Ç.: Predicting secret keys via branch prediction. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377. Springer, Heidelberg (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Falko Strenzke
    • 1
  • Erik Tews
    • 2
  • H. Gregor Molter
    • 3
  • Raphael Overbeck
    • 4
  • Abdulhadi Shoufan
    • 3
  1. 1.FlexSecure GmbHGermany
  2. 2.Cryptography and Computeralgebra, Department of Computer ScienceTechnische Universität DarmstadtGermany
  3. 3.Integrated Circuits and Systems Lab, Department of Computer ScienceTechnische Universität DarmstadtGermany
  4. 4.Ecole Polytechnique Fédérale de LausanneSwitzerland

Personalised recommendations