A Timing Attack against the Secret Permutation in the McEliece PKC

“…This work extends on the analysis given in [11] in multiple ways: first of all, we find that a control flow ambiguity causing leakage in terms of the linear equations is manifest already in the syndrome inversion preceding the solving of the key equation in the decryption operation, and consequently the countermeasure proposed in that work is insufficient. We also show that there exists a timing side channel vulnerability in the syndrome inversion that allows the attacker to gain knowledge of the zero-element of the secret support.…”

“…Table 1 The control flow for the second EEA invocation, i.e. the solving of the key equation, for the case w = 4 has been analyzed in [11], there it is shown that in the case of σ 3 = 0 the number of iterations N is zero, whereas in the case σ 3 = 0 it is one. In that work, a countermeasure is proposed that removes the possibility to exploit the according timing differences in the second EEA invocation.…”

“…In that work, a countermeasure is proposed that removes the possibility to exploit the according timing differences in the second EEA invocation. However, due the fact that, as shown in Section 3.2, timing differences reveal σ 3 = 0 already in the syndrome inversion EEA, the countermeasure proposed in [11] is insufficient.…”

“…Accordingly, they have received growing interested from researchers in the past years and been analyzed with respect to efficiency on various platforms [4][5][6][7][8]. Furthermore, a growing number of works has investigated the side channel security of code-based cryptosystems [9][10][11][12][13][14].…”

“…In [11], a timing attack is proposed that targets the secret support that is part of the private key in codebased cryptosystems. From the time taken by the solving of the key equation the attacker learns linear equations about the support in this attack.…”

Timing Attacks against the Syndrome Inversion in Code-Based Cryptosystems

“…This work extends on the analysis given in [11] in multiple ways: first of all, we find that a control flow ambiguity causing leakage in terms of the linear equations is manifest already in the syndrome inversion preceding the solving of the key equation in the decryption operation, and consequently the countermeasure proposed in that work is insufficient. We also show that there exists a timing side channel vulnerability in the syndrome inversion that allows the attacker to gain knowledge of the zero-element of the secret support.…”

“…Table 1 The control flow for the second EEA invocation, i.e. the solving of the key equation, for the case w = 4 has been analyzed in [11], there it is shown that in the case of σ 3 = 0 the number of iterations N is zero, whereas in the case σ 3 = 0 it is one. In that work, a countermeasure is proposed that removes the possibility to exploit the according timing differences in the second EEA invocation.…”

“…In that work, a countermeasure is proposed that removes the possibility to exploit the according timing differences in the second EEA invocation. However, due the fact that, as shown in Section 3.2, timing differences reveal σ 3 = 0 already in the syndrome inversion EEA, the countermeasure proposed in [11] is insufficient.…”

“…Accordingly, they have received growing interested from researchers in the past years and been analyzed with respect to efficiency on various platforms [4][5][6][7][8]. Furthermore, a growing number of works has investigated the side channel security of code-based cryptosystems [9][10][11][12][13][14].…”

“…In [11], a timing attack is proposed that targets the secret support that is part of the private key in codebased cryptosystems. From the time taken by the solving of the key equation the attacker learns linear equations about the support in this attack.…”

Timing Attacks against the Syndrome Inversion in Code-Based Cryptosystems

On the CCA2 Security of McEliece in the Standard Model

A Key-Recovery Timing Attack on Post-quantum Primitives Using the Fujisaki-Okamoto Transformation and Its Application on FrodoKEM