A Power Side-Channel Attack on the Reed-Muller Reed-Solomon Version of the HQC Cryptosystem

Abstract

The code-based post-quantum algorithm Hamming Quasi-Cyclic (HQC) is a fourth round candidate in the NIST standardization project. Since their third round version the authors utilize a new combination of error correcting codes, namely a combination of a Reed-Muller and a Reed-Solomon code, which requires an adaption of published attacks. We identify that the power side-channel attack by Uneo et al. from CHES 2021 does not work in practice as they miss the fact that the implemented Reed-Muller decoder does not have a fixed decoding boundary. In this work we provide a novel attack strategy that again allows for a successful attack. Our attack does not rely on simulation to verify its success but is proven with high probability for the HQC parameter sets. In contrast to the timing side-channel attack by Guo et al. we are able to reduce the required attack queries by a factor of 12 and are able to eliminate the inherent uncertainty of their used timing oracle. We show practical attack results utilizing a power side-channel of the used Reed-Solomon decoder on an ARM Cortex-M4 microcontroller. In addition, we provide a discussion on how or whether our attack strategy is usable with the side-channel targets of mentioned related work. Finally, we use information set decoding to evaluate the remaining attack complexity for partially retrieved secret keys. This work again emphasizes the need for a side-channel secure implementation of all relevant building blocks of HQC.

Appendices

A A Counterexample to the Attack Strategy in [15, 17]

The work [2, Fig. 7] presents a learning algorithm which allows for determining an additive error given access to a decode-to-zero oracle for a bounded-distance decoder. In [2, Theorem 11] it is shown that this algorithm succeeds with probability 1 in the considered setting. Given the vectors \({\boldsymbol{r}}\) and \({\boldsymbol{e}}\), the oracle is defined as

$$\begin{aligned} \textsf{BOO}({\boldsymbol{r}}) = {\left\{ \begin{array}{ll} \textsf{True}, &{} \textrm{if}\ \textrm{HW}({\boldsymbol{r}}+{\boldsymbol{e}}) \le \tau , \\ \textsf{False}, &{} \textrm{else}. \end{array}\right. } \end{aligned}$$

In other words, the oracle provides the information whether the sum of the input \({\boldsymbol{r}}\) and the error \({\boldsymbol{e}}\) would be corrected to zero by a bounded-distance decoder of radius \(\tau \). Note that \(\textsf{BOO}({\boldsymbol{r}})\) is similar to the oracle \(\mathfrak {D}_0^{\boldsymbol{e}}({\boldsymbol{r}})\) in our work, as given in Definition 2, except that it assumes a bounded-distance decoder, i.e., a fixed decoding threshold, instead of an ML decoder. In [17, Sect. C.7]⁸ it is claimed that this algorithm can be applied to the round three version of HQC system, which employs an ML decoder. However, the fixed decoding threshold of the bounded-distance decoder is essential to the algorithm of [2, Fig. 7] and in this section we show that replacing the \(\textsf{BOO}({\boldsymbol{r}})\) oracle with the \(\mathfrak {D}_0^{\boldsymbol{e}}({\boldsymbol{r}})\) oracle, i.e., considering an ML decoder instead of a bounded-distance decoder, causes this algorithm to return incorrect error vectors. Note that this choice of decoder is inherent to the system and cannot be influenced by the attacker, so the oracle \(\mathfrak {D}_0^{\boldsymbol{e}}({\boldsymbol{r}})\) is the appropriate oracle to use for this system. In addition to this counterexample we implemented the attack strategy and performed a simulated attack by directly accessing the RM decoder results of the HQC reference implementation. We were not able to correctly retrieve the support \({\boldsymbol{y}}_i^{(0)}\) with our simulations.

The algorithm of [2, Fig. 7] is based on constructing a vector, such that the sum of this vector and the error is at the decoding threshold. For a bounded-distance decoder, the result of the \(\textsf{BOO}\) oracle, when queried with a single bit of this input flipped, then determines the corresponding position of the error vector. However, this only applies if the result of input x plus error e is at the decoding threshold for every position. We give an example of a vector for which this is only the case for a subset of positions, which leads to an incorrect output, even in the case of a single error. We follow the steps of the algorithm of [2, Fig. 7] and fix the error vector to be the first unit vector \({\boldsymbol{e}}= {\boldsymbol{e}}^{(1)}\).

$$\begin{aligned} \begin{array}{rcl} \text {Initialize} &{} &{} \\ x &{}&{} (0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0) \\ y &{}&{} (1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1) \\ \text {First while loop iteration} \\ u &{}&{} (1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0) \\ v &{}&{} (0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1) \\ &{}&{} \mathfrak {D}_0^{{\boldsymbol{e}}}(x+u) = \textsf{False}\\ y \leftarrow u &{}&{} (1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0) \\ \end{array} \end{aligned}$$

$$\begin{aligned} \begin{array}{rcl} \text {Second while loop iteration} \\ u &{}&{} (0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0) \\ v &{}&{} (1,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0) \\ &{}&{} \mathfrak {D}_0^{{\boldsymbol{e}}}(x+u) = \textsf{False}\\ y \leftarrow u &{}&{} (0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0) \\ \text {Third while loop iteration} \\ u &{}&{} (0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0) \\ v &{}&{} (0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0) \\ &{}&{} \mathfrak {D}_0^{{\boldsymbol{e}}}(x+u) = \textsf{True}\\ x \leftarrow x+u &{}&{} (0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0) \\ y \leftarrow v &{}&{} (0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0) \\ \text {Fourth while loop iteration} \\ u &{}&{} (0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0) \\ v &{}&{} (0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0) \\ &{}&{} \mathfrak {D}_0^{{\boldsymbol{e}}}(x+u) = \textsf{True}\\ x \leftarrow x+u &{}&{} (0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0) \\ y \leftarrow v &{}&{} (0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0) \\ ||y|| =1 &{}&{} \text {Terminate while loop.} \end{array} \end{aligned}$$

As claimed, we now have a word \(x+{\boldsymbol{e}}\) that is at the threshold of decoding, i.e., if a position inside its support is flipped, we decode to zero, i.e., \(\mathfrak {D}_0^{{\boldsymbol{e}}}(x)=\textsf{True}\). The last for-loop of the algorithm iterates over all positions, checking if flipping each bit alters the decoding result. Initialize z to

$$\begin{aligned} \begin{array}{rcl} z\leftarrow x&{}&{} (0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0) \\ \end{array} . \end{aligned}$$

So, e.g., for the error position we have

$$\begin{aligned} \begin{array}{rcl} x+e^{(1)}&{}&{} (1,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0) \\ x+e^{(1)}+{\boldsymbol{e}}&{}&{} (0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0) \\ \end{array} \end{aligned}$$

and therefore \(\mathfrak {D}_0^{{\boldsymbol{e}}}(x+e^{(1)})=\textsf{True}\). Hence, the first bit in the vector z is flipped to obtain

$$\begin{aligned} \begin{array}{rcl} z\leftarrow z+{\boldsymbol{e}}^{(1)}&{}&{} (1,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0) \\ \end{array}. \end{aligned}$$

Similarly, for any other position in the support, such as, e.g., \(i=2\), we have

$$\begin{aligned} \begin{array}{rcl} x+e^{(2)}&{}&{} (1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0) \\ x+e^{(2)}+{\boldsymbol{e}}&{}&{} (0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0) \\ \end{array} \end{aligned}$$

and therefore \(\mathfrak {D}_0^{{\boldsymbol{e}}}(x+e^{(2)})=\textsf{True}\), so the second bit of z is flipped to obtain

$$\begin{aligned} \begin{array}{rcl} z\leftarrow z+{\boldsymbol{e}}^{(2)}&{}&{} (0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0) \\ \end{array}. \end{aligned}$$

After the first 8 positions we have

$$\begin{aligned} \begin{array}{rcl} z\leftarrow z+{\boldsymbol{e}}^{(1)}&{}&{} (1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0) \\ \end{array} . \end{aligned}$$

However, take for example \(i=9\). Then,

$$\begin{aligned} \begin{array}{rcl} x+e^{(9)}&{}&{} (0,1,1,0,1,0,0,0,1,0,0,0,0,0,0,0) \\ x+e^{(9)}+{\boldsymbol{e}}&{}&{} (1,1,1,0,1,0,0,0,1,0,0,0,0,0,0,0) \\ \end{array}. \end{aligned}$$

At this point the difference between a bounded-distance decoder and an ML decoder affects the decoding decision. While this word does have weight more than d/2, it is easy to check that an ML decoder still decides for the all-zero word, so \(\mathfrak {D}_0^{{\boldsymbol{e}}}(x+e^{(9)})=\textsf{True}\) and we get

$$\begin{aligned} \begin{array}{rcl} z\leftarrow z+{\boldsymbol{e}}^{(1)}&{}&{} (1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0) \\ \end{array} . \end{aligned}$$

This holds for all positions in the second part of the word, so at the end of the algorithm the “approximated error vector” is given by

$$\begin{aligned} \begin{array}{rcl} z\leftarrow z+{\boldsymbol{e}}^{(1)}&{}&{} (1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1) \\ \end{array}. \end{aligned}$$

Hence, even in this simple case of a single error, the strategy does not return the correct error vector.

B B Modified Variant of Stern’s Algorithm

Let \(\mathcal {J}{:}{=}\{j_0,\ldots ,j_{\tau -1}\} \subseteq {{\,\textrm{supp}\,}}({\boldsymbol{y}}) \subseteq [0\!:\!n-1]\) be the subset of the support of \({\boldsymbol{y}}\) that we retrieved, and let \(\mathcal {L}{:}{=}\{l_0,\ldots ,l_{\iota -1}\} \subseteq [0\!:\!n-1]{\setminus }{{\,\textrm{supp}\,}}({\boldsymbol{y}})\) denote the indices of the zero entries in \({\boldsymbol{y}}\) that we determined. Then, we us obtain the secret vectors \({\boldsymbol{x}}\) and \({\boldsymbol{y}}\) using the modified variant of Stern’s algorithm [14] that is shown in Algorithm 8.

Theorem 2

Let n and w be parameters chosen according to Table 1. Let \(({\boldsymbol{x}},{\boldsymbol{y}})\) and \(({\boldsymbol{h}},{\boldsymbol{s}})\) be a private and public key pair generated by Algorithm 1 for the chosen parameters. Let \(\mathcal {J}{:}{=}\{j_0,\ldots ,j_{\tau -1}\}\) be a subset of the support of \({\boldsymbol{y}}\), let \(\mathcal {L}= \{l_0,\ldots ,l_{\iota -1}\}\) denote a set of indices of zero entries in \({\boldsymbol{y}}\), and let \(n'=n-\iota \) and \(w'=w-\tau \). Furthermore, let \(k_1\), \(p_{\text { St}}\), \(\nu _{\text { St,1}}\), and \(\nu _{\text { St,2}}\) be non-negative integers such that \(k_1 \le n'\), \(p_{\text { St}}\le w+w'\), \(\nu _{\text { St,1}}\le n-k_1\), and \(\nu _{\text { St,2}}\le n-n'+k_1\).

Then, given \({\boldsymbol{H}}= [{\boldsymbol{1}},{{\,\textrm{rot}\,}}({\boldsymbol{h}})] \in \mathbb {F}_2^{n\times 2n}\), w, \({\boldsymbol{s}}\in \mathbb {F}_2^{n}\), \(k_1\), \(p_{\text { St}}\), \(\nu _{\text { St,1}}\), \(\nu _{\text { St,2}}\), \(\mathcal {J}\), and \(\mathcal {L}\), Algorithm 8 outputs the vector \([{\boldsymbol{x}},{\boldsymbol{y}}]\) with, on average, approximately

$$\begin{aligned} \mathcal {W}_{\text { ModSt}}{:}{=}\frac{\mathcal {W}_{\text { St,Iter}}}{ P_{\text { St}}} \end{aligned}$$

operations in \(\mathbb {F}_2\), where

$$\begin{aligned} \mathcal {W}_{\text { St,Iter}}&{:}{=}(n+n')^3+(\nu _{\text { St,1}}+\nu _{\text { St,2}}) \left( \sum _{i=1}^{p_{\text { St}}} \left( {\begin{array}{c}M_1\\ i\end{array}}\right) +\sum _{i=1}^{p_{\text { St}}} \left( {\begin{array}{c}M_2\\ i\end{array}}\right) -n' +\left( {\begin{array}{c}M_2\\ p_{\text { St}}\end{array}}\right) \right) \\&\quad +2^{1-\nu _{\text { St,1}}-\nu _{\text { St,2}}}\left( {\begin{array}{c}M_1\\ p_{\text { St}}\end{array}}\right) \left( {\begin{array}{c}M_2\\ p_{\text { St}}\end{array}}\right) (w+w'-2p_{\text { St}}+1)(2p_{\text { St}}+1), \end{aligned}$$

the quantities \(M_1 = \lfloor k_1/2 \rfloor + \lfloor (n'-k_1)/2 \rfloor \) and \(M_2 = \lceil k_1/2 \rceil + \lceil (n'-k_1)/2 \rceil \), and

$$\begin{aligned} P_{\text { St}}{:}{=}\! \sum \nolimits _{\begin{array}{c} {\boldsymbol{a}}\in \mathbb {N}_0^2 \\ a_1 \le w \\ a_2 \le w' \\ a_1+a_2 = p_{\text { St}} \end{array}} \sum \nolimits _{\begin{array}{c} {\boldsymbol{b}}\in \mathbb {N}_0^2 \\ b_1 \le w-a_1 \\ b_2 \le w'-a_2 \\ b_1+b_2 = p_{\text { St}} \end{array}} \!\frac{\left( {\begin{array}{c}\lfloor k_1/2\rfloor \\ a_1\end{array}}\right) \left( {\begin{array}{c}\lceil k_1/2\rceil \\ b_1\end{array}}\right) \left( {\begin{array}{c}n-k_1-\nu _{\text { St,1}}\\ w-a_1-b_1\end{array}}\right) }{\left( {\begin{array}{c}n\\ w\end{array}}\right) } \frac{\left( {\begin{array}{c}\lfloor (n'-k_1)/2\rfloor \\ a_2\end{array}}\right) \left( {\begin{array}{c}\lceil (n'-k_1)/2\rceil \\ b_2\end{array}}\right) \left( {\begin{array}{c}k_1-\nu _{\text { St,2}}\\ w'-a_2-b_2\end{array}}\right) }{\left( {\begin{array}{c}n'\\ w'\end{array}}\right) }. \end{aligned}$$

Proof

In Line 1, the algorithm uses \(\mathcal {J}\) to transform the syndrome decoding instance \(({\boldsymbol{H}},{\boldsymbol{s}},[{\boldsymbol{x}},{\boldsymbol{y}}])\) of length 2n, dimension n and error weight 2w into the syndrome decoding instance \(({\boldsymbol{H}},\tilde{{\boldsymbol{s}}},[{\boldsymbol{x}},\tilde{{\boldsymbol{y}}}])\) of length 2n, dimension n and error weight \(w+w'\), where \(\textrm{HW}(\tilde{{\boldsymbol{y}}}) = w'\) and \({{\,\textrm{supp}\,}}(\tilde{{\boldsymbol{y}}})\cup \mathcal {J}= {{\,\textrm{supp}\,}}({\boldsymbol{y}})\). The remaining steps are equal to the modification of Stern’s algorithm presented in [4] and [12, Alg. 17] except that the set \(\mathcal {X}_2\) always contains \(\mathcal {L}_1 = \{l_0,\ldots ,l_{\lceil \iota /2\rceil -1}\}\) and the set \(\mathcal {Y}_2\) always contains \(\mathcal {L}_2 = \{l_{\lceil \iota /2\rceil },\ldots ,l_{\iota -1}\}\). By this choice of \(\mathcal {X}_2\) and \(\mathcal {Y}_2\), the syndrome decoding instance \(({\boldsymbol{H}},\tilde{{\boldsymbol{s}}},[{\boldsymbol{x}},\tilde{{\boldsymbol{y}}}])\) is transformed into the \((\bar{{\boldsymbol{H}}},\bar{{\boldsymbol{s}}},[{\boldsymbol{x}},\bar{{\boldsymbol{y}}}])\) instance of length \(n+n'\), dimension \(n'\) and error weight \(w+w'\), where \(\bar{{\boldsymbol{H}}}\in \mathbb {F}_2^{n'\times (n+n')}\), \(\bar{{\boldsymbol{s}}}\in \mathbb {F}_2^{n+n'} \), and \(\bar{{\boldsymbol{y}}}\in \mathbb {F}_2^{n'}\).

Such that an iteration of Stern’s algorithm can solve the \((\bar{{\boldsymbol{H}}},\bar{{\boldsymbol{s}}},[{\boldsymbol{x}},\bar{{\boldsymbol{y}}}])\) syndrome decoding instance, there must be exactly \(p_{\text { St}}\) error positions in both \(\mathcal {X}_1 \cup \mathcal {X}_2\) and \(\mathcal {Y}_1 \cup \mathcal {Y}_2\) and no error positions in \(\mathcal {Z}_1\) and \(\mathcal {Z}_2\). The probability that this event occurs is equal to \(P_{\text { St}}\), cf. [4] and [12, Thm. 4.9]. This implies that, on average, Lines 5 to 12 need to be executed \(1/P_{\text { St}}\), where each iteration has a complexity of \(\mathcal {W}_{\text { St,Iter}}\).    \(\square \)

C C T-Test Result: Power Side-Channel of the RS Decoder

The t-test results used for identifying points of interest for building our oracle with the power side-channel of the RS decoder (Sect. 4.1) is shown in Fig. 4. The high t-values clearly indicate that both classes can be distinguished through this power side-channel. The shown samples correspond to the complete execution time of the error-locator polynomial computation implemented in the HQC-128 reference implementation.

Fig. 4.

Resulting t-values used for identifying points of interest using the side-channel described in Sect. 4.1. The marked \(Th_{attack}\) is used as a threshold for the actual attack.