A Key-Recovery Side-Channel Attack on Classic McEliece Implementations

被引:0
作者
Guo Q. [1 ]
Johansson A. [1 ]
Johansson T. [1 ]
机构
[1] Dept. of Electrical and Information Technology, Lund University, Lund
来源
IACR Transactions on Cryptographic Hardware and Embedded Systems | 2022年 / 2022卷 / 04期
关键词
Classic McEliece; Code-based cryptography; NIST post-quantum standardization; side-channel attacks;
D O I
10.46586/tches.v2022.i4.800-827
中图分类号
学科分类号
摘要
In this paper, we propose the first key-recovery side-channel attack on Classic McEliece, a KEM finalist in the NIST Post-quantum Cryptography Standardization Project. Our novel idea is to design an attack algorithm where we submit special ciphertexts to the decryption oracle that correspond to cases of single errors. Decoding of such ciphertexts involves only a single entry in a large secret permutation, which is part of the secret key. Through an identified leakage in the additive FFT step used to evaluate the error locator polynomial, a single entry of the secret permutation can be determined. Iterating this for other entries leads to full secret key recovery. The attack is described using power analysis both on the FPGA reference implementation and a software implementation running on an ARM Cortex-M4. We use a machine-learning-based classification algorithm to determine the error locator polynomial from a single trace. The attack is fully implemented and evaluated in the Chipwhisperer framework and is successful in practice. For the smallest parameter set, it is using about 300 traces for partial key recovery and less than 800 traces for full key recovery, in the FPGA case. A similar number of traces are required for a successful attack on the ARM software implementation. © 2022, Ruhr-University of Bochum. All rights reserved.
引用
收藏
页码:800 / 827
页数:27
相关论文
共 73 条
[11]  
Bilgin Begul, Gierlichs Benedikt, Nikova Svetla, Nikov Ventzislav, Rijmen Vincent, Higher-order threshold implementations, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 8874, pp. 326-343, (2014)
[12]  
Bos Joppe W., Gourjon Marc, Renes Joost, Schneider Tobias, van Vredendaal Christine, Masking kyber: First-and higher-order implementations, IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021, 4, pp. 173-214, (2021)
[13]  
Becker Anja, Joux Antoine, May Alexander, Meurer Alexander, Decoding random binary linear codes in 2<sup>n/20</sup>: How 1 + 1 = 0 improves information set decoding, Advances in Cryptology – EUROCRYPT 2012, volume 7237 of Lecture Notes in Computer Science, pp. 520-536, (2012)
[14]  
Chen Ming-Shing, Chou Tung, Classic mceliece on the ARM cortex-M4, IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021, 3, pp. 125-148, (2021)
[15]  
Cayrel Pierre-Louis, Colombier Brice, Dragoi Vlad-Florin, Menu Alexandre, Bossuet Lilian, Message-recovery laser fault injection attack on the classic McEliece cryptosystem, Advances in Cryptology – EUROCRYPT 2021, Part II, volume 12697 of Lecture Notes in Computer Science, pp. 438-467, (2021)
[16]  
Colombier Brice, Dragoi Vlad-Florin, Cayrel Pierre-Louis, Grosso Vincent, Message-recovery profiled side-channel attack on the classic mceliece cryptosystem, Cryptology ePrint Archive, (2022)
[17]  
Chen Cong, Danba Oussama, Hoffstein Jeffrey, Hulsing Andreas, Ri-jneveld Joost, Schanck John M., Schwabe Peter, Whyte William, Zhang Zhenfei, Saito Tsunekazu, Yamakawa Takashi, Xagawa Keita, NTRU, (2020)
[18]  
Cagli Eleonora, Dumas Cecile, Prouff Emmanuel, Convolutional neural networks with data augmentation against jitter-based countermeasures-profiling attacks without pre-processing, Cryptographic Hardware and Embedded Systems – CHES 2017, volume 10529 of Lecture Notes in Computer Science, pp. 45-68, (2017)
[19]  
Chari Suresh, Rao Josyula R., Rohatgi Pankaj, Template attacks, Cryptographic Hardware and Embedded Systems-CHES 2002, pp. 13-28, (2003)
[20]  
D'Anvers Jan-Pieter, Karmakar Angshuman, Roy Sujoy Sinha, Vercauteren Frederik, Mera Jose Maria Bermudo, Van Beirendonck Michiel, Basso Andrea, SABER, (2020)
12345678