A practicable timing attack against HQC and its countermeasure

Wafo-Tapa, Guillaume; Bettaieb, Slim; Bidoux, Loïc; Gaborit, Philippe; Marcatel, Etienne

doi:10.3934/amc.2020126

Cited by 4 publications

(7 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For those who had heard of specific tools, but had not attempted to use them, we were also interested in their reasoning. The reasons were varied, many including a lack of resources such as time (26 ) or RAM, CPU cores and machine (1 ). Participants also reported on bad availability (4 ), and maintenance (5 ), as well as insufficient language support (4 ), and other usability issues, such as problems with setting up the tool (3 ), or getting it to work properly post setup (1 ).…”

Section: ) Tool Experience and Use Cases (Rq3b)mentioning

confidence: 99%

“They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks

Jančár

Fourné

Braga

et al. 2022

2022 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

show abstract

Section: ) Tool Experience and Use Cases (Rq3b)mentioning

confidence: 99%

“They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks

Jančár

Fourné

Braga

et al. 2022

2022 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…In 2019 and 2020, the first version of HQC based on BCH codes was attacked by Timing attacks (TA). These TA [17,25] use a correlation between the weight of the decoded error and the computation time of the decoder. As a result, HQC authors' team proposed a constant time implementation for decoding BCH codes to mitigate these TA.…”

Section: Introductionmentioning

confidence: 99%

A New Key Recovery Side-Channel Attack on HQC with Chosen Ciphertext

Goy

Loiseau

Gaborit

2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Hamming Quasi-Cyclic (HQC) is a code-based candidate of NIST post-quantum standardization procedure. The decoding steps of code-based cryptosystems are known to be vulnerable to side-channel attacks and HQC is no exception to this rule. In this paper, we present a new key recovery side-channel attack on HQC with chosen ciphertext. Our attack takes advantage of the reuse of a static secret key on a micro-controller with a physical access. The goal is to retrieve the static secret key by targeting the Reed-Muller decoding step of the decapsulation and more precisely the Hadamard transform. This function is known for its diffusion property, a property that we exploit through sidechannel analysis. The side-channel information is used to build an Oracle that distinguishes between several decoding patterns of the Reed-Muller codes. We show how to query the Oracle such that the responses give a full information about the static secret key. Experiments show that less than 20.000 electromagnetic attack traces are sufficient to retrieve the whole static secret key used for the decapsulation. Finally, we present a masking-based countermeasure to thwart our attack.

show abstract

“…As such, their security against other types of side-channel attacks needs further investigation. The optimized decoder proposed by Wafo-Tapa et al [WTBBG19] can yield reasonable overheads, between 3% and 11%, for the different security levels provided by the HQC instances. Hopefully, with further study on constant-time BCH decoders, lower overheads can be achieved.…”

Section: Discussion On Countermeasuresmentioning

confidence: 97%

“…This is useful to reduce the number of decryption timings the attacker needs to perform. Shortly after this paper was accepted for publication, Wafo-Tapa et al [WTBBG19] published a preprint in the Cryptology ePrint Archive in which they also present a timing attack against HQC. Our attack is stronger in the sense that it only uses valid ciphertexts, while the attack by Wafo-Tapa et al [WTBBG19] uses malformed ciphertexts to better control the extraction of secret information.…”

Section: Introductionmentioning

confidence: 99%

“…Shortly after this paper was accepted for publication, Wafo-Tapa et al [WTBBG19] published a preprint in the Cryptology ePrint Archive in which they also present a timing attack against HQC. Our attack is stronger in the sense that it only uses valid ciphertexts, while the attack by Wafo-Tapa et al [WTBBG19] uses malformed ciphertexts to better control the extraction of secret information. However, their paper comes with a countermeasure, which consists of a constant-time BCH decoder with a low overhead.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Attacking and defending post-quantum cryptography candidates

Paiva¹

View full text Add to dashboard Cite

Em criptografia pós-quântica, estamos interessados em esquemas criptográficos baseados em problemas cuja solução, acredita-se, não pode ser encontrada eficientemente nem com o uso de computadores quânticos. Esta dissertação, escrita no formato de coletânea de artigos, apresenta contribuições originais sobre a segurança e implementação de três candidatos a esquemas pós-quânticos: HQC, PKP e BIKE. Ambos HQC e BIKE são esquemas de encapsulamento de chaves (KEM) baseados em códigos corretores de erros que foram selecionados pelo NIST como candidatos alternativos em seu processo de padronização de esquemas pós-quânticos. O problema do núcleo permutado (PKP) é um problema NPdifícil que pode ser usado para instanciar esquemas pós-quânticos de assinaturas digitais. A primeira contribuição é um ataque ao HQC usando informações sobre o tempo de execução do algoritmo de encriptação. Este ataque permite a um atacante recuperar a chave privada de uma vítima após medir o tempo de execução de 400 milhões de operações de decriptação, considerando parâmetros para 128 bits de segurança. A segunda contribuição consiste no primeiro ataque a uma generalização do PKP para corpos pequenos. Para parâmetros que prometem 80 bits de segurança, o ataque recupera uma fração de 2 −40 das chaves com apenas 2 48 operações, e aproximadamente 7.2% das chaves com 2 62 operações.A terceira e última contribuição consiste num novo algoritmo de decriptação para o BIKE.

show abstract

A practicable timing attack against HQC and its countermeasure

Cited by 4 publications

References 11 publications

“They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks

“They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks

A New Key Recovery Side-Channel Attack on HQC with Chosen Ciphertext

Attacking and defending post-quantum cryptography candidates

Contact Info

Product

Resources

About