Side channel attacks in code-based cryptography

Advances in Computer Science and Information …, 2010

This survey provides a comparative overview of code-based signature schemes with respect to security and performance. Furthermore, we explicitly describe serveral code-based signature schemes with additional properties such as identity-based, threshold ring and blind signatures.

Cryptology and Network Security, 2018

Code-based public-key cryptosystems based on QC-LDPC and QC-MDPC codes are promising post-quantum candidates to replace quantum-vulnerable classical alternatives. However, a new type of attacks based on Bob's reactions have recently been introduced and appear to significantly reduce the length of the life of any keypair used in these systems. In this paper we estimate the complexity of all known reaction attacks against QC-LDPC and QC-MDPC code-based variants of the McEliece cryptosystem. We also show how the structure of the secret key and, in particular, the secret code rate affect the complexity of these attacks. It follows from our results that QC-LDPC code-based systems can indeed withstand reaction attacks, on condition that some specific decoding algorithms are used and the secret code has a sufficiently high rate.

This thesis gives an overview of the currently most mature key encapsulation mechanisms (KEMs) based on the theory of error correcting codes. It includes an introduction to the theory of error correcting codes in so much as it applies to these systems and how it can be used to encapsulate keys through a public key (PK) cryptosystem. In order to add context to the KEMs, first the required basics of coding theory and a selection of some of the most common error correcting codes are covered. Then, we revisit public key cryptosystems, key encapsulation, and the security threat models that are being used. This is followed by a thorough description of the current NIST candidates for KEM using post-quantum cryptography: Classic McEliece, BIKE, LEDAcrypt, and HQC. We do not include rank metric methods such as ROLLO and RQC, which were NIST candidates until the second round, since they involve different features than those studied in this thesis. The thesis is intended as a survey of current methods being used in this field. We also establish some of the problems which may pose interesting for further research.

IET Communications, 2020

IACR Cryptol. ePrint Arch., 2021

ROLLO is a candidate to the second round of NIST PostQuantum Cryptography standardization process. In the last update in April 2020, there was a key encapsulation mechanism (ROLLO-I) and a public-key encryption scheme (ROLLO-II). In this paper, we propose an attack to recover the syndrome during the decapsulation process of ROLLO-I. From this syndrome, we explain how to perform a private keyrecovery. We target two constant-time implementations: the C reference implementation and a C implementation available on GitHub. By getting power measurements during the execution of the Gaussian elimination function, we are able to extract on a single trace each element of the syndrome. This attack can also be applied to the decryption process of ROLLO-II.

Lecture Notes in Computer Science, 2003

This paper contains three parts. In the first part we present a new side channel attack on plaintext encrypted by EME-OAEP PKCS#1 v.2.1. In contrast with Manger´s attack, we attack that part of the plaintext, which is shielded by the OAEP method. In the second part we show that Bleichenbacher's and Manger's attack on the RSA encryption scheme PKCS#1 v.1.5 and EME-OAEP PKCS#1 v.2.1 can be converted to an attack on the RSA signature scheme with any message encoding (not only PKCS). This is a new threat for those implementations of PKI, in which the roles of signature and encryption keys are not strictly separated. This situation is often encountered in the SSL protocol used to secure access to web servers. In the third part we deploy a general idea of fault-based attacks on the RSA-KEM scheme and present two particular attacks as the examples. The result is the private key instead of the plaintext as with attacks on PKCS#1 v.1.5 and v.2.1. These attacks should highlight the fact that the RSA-KEM scheme is not an entirely universal solution to problems of RSAES-OAEP implementation and that even here the manner of implementation is significant.

Communications in Computer and Information Science, 2011

The last three years have witnessed tremendous progress in the understanding of code-based cryptography. One of its most promising applications is the design of cryptographic schemes with exceptionally strong security guarantees and other desirable properties. In contrast to number-theoretic problems typically used in cryptography, the underlying problems have so far resisted subexponential time attacks as well as quantum algorithms. This paper will survey the more recent developments.

WSEAS TRANSACTIONS ON SYSTEMS AND CONTROL, 2020

The paper is aimed at analyzing of the classical McEliece and Niederreiter cryptosystems as well as theQuasi-Cyclic MDPC McEliece cipher in a context of the post-quantum network security. Theoretical foundations ofthe aforesaid cryptographic schemes are considered. The characteristics of the given cryptosystems and otherasymmetric encryption schemes are analyzed. The cipher metrics, which are considered in the paper, includecryptographic strength, performance, public key size and length of ciphertext. The binary Goppa codes are describedin the context of their role for the cryptanalytic resistance of the classic McEliece and Niederreiter schemes. Thecrucial advantages and drawbacks of the aforementioned cryptosystems are analyzed. The prospects for applicationof these ciphers to the network security protocols are outlined. The investigations, which are aimed at finding waysto reduce the public key sizes and improve the energy efficiency of the given ciphers, are briefly described. A...

International Journal of Electrical and Computer Engineering (IJECE), 2023

Digital signatures are in high demand because they allow authentication and non-repudiation. Existing digital signature systems, such as digital signature algorithm (DSA), elliptic curve digital signature algorithm (ECDSA), and others, are based on number theory problems such as discrete logarithmic problems and integer factorization problems. These recently used digital signatures are not secure with quantum computers. To protect against quantum computer attacks, many researchers propose digital signature schemes based on error-correcting codes such as linear, Goppa, polar, and so on. We studied 16 distinct papers based on various error-correcting codes and analyzed their various features such as signing and verification efficiency, signature size, public key size, and security against multiple attacks.

This survey is on forward-looking, emerging security concerns in post-quantum era, i.e., the implementation attacks for 2022 winners of NIST post-quantum cryptography (PQC) competition and thus the visions, insights, and discussions can be used as a step forward towards scrutinizing the new standards for applications ranging from Metaverse/Web 3.0 to deeply-embedded systems. The rapid advances in quantum computing have brought immense opportunities for scientific discovery and technological progress; however, it poses a major risk to today's security since advanced quantum computers are believed to break all traditional publickey cryptographic algorithms. This has led to active research on PQC algorithms that are believed to be secure against classical and powerful quantum computers. However, algorithmic security is unfortunately insufficient, and many cryptographic algorithms are vulnerable to side-channel attacks (SCA), where an attacker passively or actively gets side-channel data to compromise the security properties that are assumed to be safe theoretically. In this survey, we explore such imminent threats and their countermeasures with respect to PQC. We provide the respective, latest advancements in PQC research, as well as assessments and providing visions on the different types of SCAs. CCS Concepts: • Security and privacy → Digital signatures; Hardware attacks and countermeasures.

Amongst areas of cryptographic research, there has recently been a widening interest for code-based cryptosystems and their implementations. Besides the a priori resistance to quantum computer attacks, they represent a real alternative to the currently used cryptographic schemes. In this paper we consider the implementation of the Stern authentication scheme and one recent variation of this scheme by Aguilar et al.. These two schemes allow public authentication and public signature with public and private keys of only a few hundreds bits. The contributions of this paper are twofold: first, we describe how to implement a code-based signature in a constrained device through the Fiat-Shamir paradigm, in particular we show how to deal with long signatures. Second, we implement and explain new improvements for code-based zero-knowledge signature schemes. We describe implementations for these signature and authentication schemes, secured against side channel attacks, which drastically improve the previous implementation presented at Cardis 2008 by Cayrel et al.. We obtain a factor 3 reduction of speed and a factor of about 2 for the length of the signature. We also provide an extensive comparison with RSA signatures.

ArXiv, 2019

This technical report addresses code-based cryptography and is designed to depict the complete outline of a code based public key cryptosystem. This report includes basic mathematics and fundamentals of coding theory which are useful for studying code-based cryptography. Here, we briefly describe the first scheme of code based public key cryptosystems given by R. J. McEliece in 1978 and its improved version given by H. Niederreiter in 1986. We discuss the hard problems of coding theory which are used in code based cryptography and some classic attacks on it like information-set decoding (ISD). Successful implementation of the ISD attack on McEliece cryptosystem for some small parameters set is executed and the code for the same is provided in the Appendix. This report elaborates a key encapsulation mechanism (KEM), namely Classic McEliece, based on algebraic coding theory to establish a symmetric key for two users.

2011

Quantum computers can break the RSA, El Gamal, and elliptic curve public-key cryptosystems, as they can efficiently factor integers and extract discrete logarithms. This motivates the development of post-quantum cryptosystems: classical cryptosystems that can be implemented with today's computers, that will remain secure even in the presence of quantum attacks. In this article we show that the McEliece cryptosystem over rational Goppa codes and the Niederreiter cryptosystem over classical Goppa codes resist precisely the attacks to which the RSA and El Gamal cryptosystems are vulnerablenamely, those based on generating and measuring coset states. This eliminates the approach of strong Fourier sampling on which almost all known exponential speedups by quantum algorithms are based. Specifically, we show that the natural case of the Hidden Subgroup Problem to which McEliece-type cryptosystems reduce cannot be solved by strong Fourier sampling, or by any measurement of a coset state. To do this, we extend recent negative results on quantum algorithms for Graph Isomorphism to subgroups of the automorphism groups of linear codes. This gives the first rigorous results on the security of the McEliece-type cryptosystems in the face of quantum adversaries, strengthening their candidacy for post-quantum cryptography. We also strengthen some results of Kempe, Pyber, and Shalev on the Hidden Subgroup Problem in S n .

Information Processing Letters, 2015

In a basic related-key attack against a block cipher, the adversary has access to encryptions under keys that differ from the target key by bit-flips. In this short note we show that for a quantum adversary such attacks are quite powerful: if the secret key is (i) uniquely determined by a small number of plaintextciphertext pairs, (ii) the block cipher can be evaluated efficiently, and (iii) a superposition of related keys can be queried, then the key can be extracted efficiently.

arXiv (Cornell University), 2020

We present an attack against a code-based signature scheme based on the Lyubashevsky protocol that was recently proposed by Song, Huang, Mu, Wu and Wang (SHMWW). The private key in the SHMWW scheme contains columns coming in part from an identity matrix and in part from a random matrix. The existence of two types of columns leads to a strong bias in the distribution of set bits in produced signatures. Our attack exploits such a bias to recover the private key from a bunch of collected signatures. We provide a theoretical analysis of the attack along with experimental evaluations, and we show that as few as 10 signatures are enough to be collected for successfully recovering the private key. As for previous attempts of adapting Lyubashevsky's protocol to the case of code-based cryptography, the SHMWW scheme is thus proved unable to provide acceptable security. This confirms that devising secure code-based signature schemes with efficiency comparable to that of other post-quantum solutions (e.g., based on lattices) is still a challenging task.