Abstract
The code-based post-quantum algorithm Hamming Quasi-Cyclic (HQC) is a fourth round candidate in the NIST standardization project. Since their third round version the authors utilize a new combination of error correcting codes, namely a combination of a Reed-Muller and a Reed-Solomon code, which requires an adaption of published attacks. We identify that the power side-channel attack by Uneo et al. from CHES 2021 does not work in practice as they miss the fact that the implemented Reed-Muller decoder does not have a fixed decoding boundary. In this work we provide a novel attack strategy that again allows for a successful attack. Our attack does not rely on simulation to verify its success but is proven with high probability for the HQC parameter sets. In contrast to the timing side-channel attack by Guo et al. we are able to reduce the required attack queries by a factor of 12 and are able to eliminate the inherent uncertainty of their used timing oracle. We show practical attack results utilizing a power side-channel of the used Reed-Solomon decoder on an ARM Cortex-M4 microcontroller. In addition, we provide a discussion on how or whether our attack strategy is usable with the side-channel targets of mentioned related work. Finally, we use information set decoding to evaluate the remaining attack complexity for partially retrieved secret keys. This work again emphasizes the need for a side-channel secure implementation of all relevant building blocks of HQC.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The previous version of the HQC system employed repetition codes of odd length instead of RM codes. It is well-known that this class of codes is perfect, i.e., the unique decoding error balls centered on the codewords fill the entire space. In this specific case, a bounded-distance decoder with radius \((d-1)/2\) is equivalent to an ML decoder. Note that first-order RM codes are not perfect, so this special case does not apply here.
- 2.
- 3.
Note that \(f^2=f\) in \(\mathbb {F}_2[x]\), so \((\hat{p}+1)\hat{p}\check{p}=\hat{p}^2\check{p} + \hat{p}\check{p} =2\hat{p}\check{p}=0\).
- 4.
Note that this does not imply that the outcome is 0, since one of the words of \(\mathcal {F}\) could still be closer to \(r+e\) than 0.
- 5.
Similarly to the previous case, this does not mean that the ML decoding result is necessarily \(\hat{p}\), since the proof does not hold for \(\check{p}\) and \(\hat{p}+\check{p}+1\).
- 6.
The simulation integrates the C reference implementation of the RM decoder and directly uses the decoding result to build the required oracle.
- 7.
A (linear) subcode consists of a subset of codewords of the original code, usually in the form of a linear subspace. It is easy to see that any decoder for the original code can also be applied to the subcode, since it contains any codeword of the subcode. For more details on the relation between RS and BCH codes, the reader is referred to [7, Chap. 12].
- 8.
References
Albrecht, M.R., et al.: NIST post-quantum cryptography standardization round 3 submission: classic McEliece. https://classic.mceliece.org
Bâetu, C., Durak, F.B., Huguenin-Dumittan, L., Talayhan, A., Vaudenay, S.: Misuse attacks on post-quantum cryptosystems. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 747–776. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_26
Guo, Q., Hlauschek, C., Johansson, T., Lahr, N., Nilsson, A., Schröder, R.L.: Don’t reject this: Key-recovery timing attacks due to rejection-sampling in HQC and BIKE. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022(3), 223–263 (2022)
Horlemann, A.L., Puchinger, S., Renner, J., Schamberger, T., Wachter-Zeh, A.: Information-set decoding with hints. In: Wachter-Zeh, A., Bartz, H., Liva, G. (eds.) CBCrypto 2021. LNCS, vol. 13150, pp. 60–83. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-98365-9_4
Huguenin-Dumittan, L., Vaudenay, S.: Classical misuse attacks on NIST round 2 PQC: the power of rank-based schemes. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020. LNCS, vol. 12146, pp. 208–227. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57808-4_11
Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stoffelen, K.: PQM4: post-quantum crypto library for the ARM Cortex-M4. https://github.com/mupq/pqm4
MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error Correcting Codes, vol. 16. Elsevier, Amsterdam (1977)
Melchor, C.A., et al.: NIST post-quantum cryptography standardization round 2 submission: hamming Quasi-Cyclic (HQC). http://pqc-hqc.org/
Melchor, C.A., et al.: NIST post-quantum cryptography standardization round 3 submission: hamming Quasi-Cyclic (HQC). http://pqc-hqc.org/
Moody, D.: Status report on the third round of the NIST post-quantum cryptography standardization process (2022). https://doi.org/10.6028/nist.ir.8413
Paiva, T.B., Terada, R.: A timing attack on the HQC encryption scheme. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 551–573. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_22
Renner, J.: Post-quantum cryptography in the Hamming metric, the rank metric, and the sum-rank metric. Dissertation (Ph.D. thesis), Technische Universität München (2022)
Schamberger, T., Renner, J., Sigl, G., Wachter-Zeh, A.: A power side-channel attack on the CCA2-Secure HQC KEM. In: Liardet, P.-Y., Mentens, N. (eds.) CARDIS 2020. LNCS, vol. 12609, pp. 119–134. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-68487-7_8
Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0019850
Ueno, R., Xagawa, K., Tanaka, Y., Ito, A., Takahashi, J., Homma, N.: Curse of re-encryption: a generic power/EM analysis on post-quantum KEMs. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022(1), 296–322 (2021). https://tches.iacr.org/index.php/TCHES/article/view/9298
Wafo-Tapa, G., Bettaieb, S., Bidoux, L., Gaborit, P., Marcatel, E.: A practicable timing attack against HQC and its countermeasure. Cryptology ePrint Archive, Report 2019/909 (2019). https://eprint.iacr.org/2019/909
Xagawa, K., Ito, A., Ueno, R., Takahashi, J., Homma, N.: Fault-injection attacks against NIST’s post-quantum cryptography round 3 KEM candidates. Cryptology ePrint Archive, Report 2021/840 (2021). https://ia.cr/2021/840
Acknowledgment
This work was supported by the German Research Foundation (Deutsche Forschungsgemeinschaft, DFG) under Grant No. SE2989/1-1 as well as WA3907/4-1 and the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 801434). We would like to thank Christoph Frisch for his helpful feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A A Counterexample to the Attack Strategy in [15, 17]
The work [2, Fig. 7] presents a learning algorithm which allows for determining an additive error given access to a decode-to-zero oracle for a bounded-distance decoder. In [2, Theorem 11] it is shown that this algorithm succeeds with probability 1 in the considered setting. Given the vectors \({\boldsymbol{r}}\) and \({\boldsymbol{e}}\), the oracle is defined as
In other words, the oracle provides the information whether the sum of the input \({\boldsymbol{r}}\) and the error \({\boldsymbol{e}}\) would be corrected to zero by a bounded-distance decoder of radius \(\tau \). Note that \(\textsf{BOO}({\boldsymbol{r}})\) is similar to the oracle \(\mathfrak {D}_0^{\boldsymbol{e}}({\boldsymbol{r}})\) in our work, as given in Definition 2, except that it assumes a bounded-distance decoder, i.e., a fixed decoding threshold, instead of an ML decoder. In [17, Sect. C.7]Footnote 8 it is claimed that this algorithm can be applied to the round three version of HQC system, which employs an ML decoder. However, the fixed decoding threshold of the bounded-distance decoder is essential to the algorithm of [2, Fig. 7] and in this section we show that replacing the \(\textsf{BOO}({\boldsymbol{r}})\) oracle with the \(\mathfrak {D}_0^{\boldsymbol{e}}({\boldsymbol{r}})\) oracle, i.e., considering an ML decoder instead of a bounded-distance decoder, causes this algorithm to return incorrect error vectors. Note that this choice of decoder is inherent to the system and cannot be influenced by the attacker, so the oracle \(\mathfrak {D}_0^{\boldsymbol{e}}({\boldsymbol{r}})\) is the appropriate oracle to use for this system. In addition to this counterexample we implemented the attack strategy and performed a simulated attack by directly accessing the RM decoder results of the HQC reference implementation. We were not able to correctly retrieve the support \({\boldsymbol{y}}_i^{(0)}\) with our simulations.
The algorithm of [2, Fig. 7] is based on constructing a vector, such that the sum of this vector and the error is at the decoding threshold. For a bounded-distance decoder, the result of the \(\textsf{BOO}\) oracle, when queried with a single bit of this input flipped, then determines the corresponding position of the error vector. However, this only applies if the result of input x plus error e is at the decoding threshold for every position. We give an example of a vector for which this is only the case for a subset of positions, which leads to an incorrect output, even in the case of a single error. We follow the steps of the algorithm of [2, Fig. 7] and fix the error vector to be the first unit vector \({\boldsymbol{e}}= {\boldsymbol{e}}^{(1)}\).
As claimed, we now have a word \(x+{\boldsymbol{e}}\) that is at the threshold of decoding, i.e., if a position inside its support is flipped, we decode to zero, i.e., \(\mathfrak {D}_0^{{\boldsymbol{e}}}(x)=\textsf{True}\). The last for-loop of the algorithm iterates over all positions, checking if flipping each bit alters the decoding result. Initialize z to
So, e.g., for the error position we have
and therefore \(\mathfrak {D}_0^{{\boldsymbol{e}}}(x+e^{(1)})=\textsf{True}\). Hence, the first bit in the vector z is flipped to obtain
Similarly, for any other position in the support, such as, e.g., \(i=2\), we have
and therefore \(\mathfrak {D}_0^{{\boldsymbol{e}}}(x+e^{(2)})=\textsf{True}\), so the second bit of z is flipped to obtain
After the first 8 positions we have
However, take for example \(i=9\). Then,
At this point the difference between a bounded-distance decoder and an ML decoder affects the decoding decision. While this word does have weight more than d/2, it is easy to check that an ML decoder still decides for the all-zero word, so \(\mathfrak {D}_0^{{\boldsymbol{e}}}(x+e^{(9)})=\textsf{True}\) and we get
This holds for all positions in the second part of the word, so at the end of the algorithm the “approximated error vector” is given by
Hence, even in this simple case of a single error, the strategy does not return the correct error vector.
B B Modified Variant of Stern’s Algorithm
Let \(\mathcal {J}{:}{=}\{j_0,\ldots ,j_{\tau -1}\} \subseteq {{\,\textrm{supp}\,}}({\boldsymbol{y}}) \subseteq [0\!:\!n-1]\) be the subset of the support of \({\boldsymbol{y}}\) that we retrieved, and let \(\mathcal {L}{:}{=}\{l_0,\ldots ,l_{\iota -1}\} \subseteq [0\!:\!n-1]{\setminus }{{\,\textrm{supp}\,}}({\boldsymbol{y}})\) denote the indices of the zero entries in \({\boldsymbol{y}}\) that we determined. Then, we us obtain the secret vectors \({\boldsymbol{x}}\) and \({\boldsymbol{y}}\) using the modified variant of Stern’s algorithm [14] that is shown in Algorithm 8.
Theorem 2
Let n and w be parameters chosen according to Table 1. Let \(({\boldsymbol{x}},{\boldsymbol{y}})\) and \(({\boldsymbol{h}},{\boldsymbol{s}})\) be a private and public key pair generated by Algorithm 1 for the chosen parameters. Let \(\mathcal {J}{:}{=}\{j_0,\ldots ,j_{\tau -1}\}\) be a subset of the support of \({\boldsymbol{y}}\), let \(\mathcal {L}= \{l_0,\ldots ,l_{\iota -1}\}\) denote a set of indices of zero entries in \({\boldsymbol{y}}\), and let \(n'=n-\iota \) and \(w'=w-\tau \). Furthermore, let \(k_1\), \(p_{\text { St}}\), \(\nu _{\text { St,1}}\), and \(\nu _{\text { St,2}}\) be non-negative integers such that \(k_1 \le n'\), \(p_{\text { St}}\le w+w'\), \(\nu _{\text { St,1}}\le n-k_1\), and \(\nu _{\text { St,2}}\le n-n'+k_1\).
Then, given \({\boldsymbol{H}}= [{\boldsymbol{1}},{{\,\textrm{rot}\,}}({\boldsymbol{h}})] \in \mathbb {F}_2^{n\times 2n}\), w, \({\boldsymbol{s}}\in \mathbb {F}_2^{n}\), \(k_1\), \(p_{\text { St}}\), \(\nu _{\text { St,1}}\), \(\nu _{\text { St,2}}\), \(\mathcal {J}\), and \(\mathcal {L}\), Algorithm 8 outputs the vector \([{\boldsymbol{x}},{\boldsymbol{y}}]\) with, on average, approximately
operations in \(\mathbb {F}_2\), where
the quantities \(M_1 = \lfloor k_1/2 \rfloor + \lfloor (n'-k_1)/2 \rfloor \) and \(M_2 = \lceil k_1/2 \rceil + \lceil (n'-k_1)/2 \rceil \), and
Proof
In Line 1, the algorithm uses \(\mathcal {J}\) to transform the syndrome decoding instance \(({\boldsymbol{H}},{\boldsymbol{s}},[{\boldsymbol{x}},{\boldsymbol{y}}])\) of length 2n, dimension n and error weight 2w into the syndrome decoding instance \(({\boldsymbol{H}},\tilde{{\boldsymbol{s}}},[{\boldsymbol{x}},\tilde{{\boldsymbol{y}}}])\) of length 2n, dimension n and error weight \(w+w'\), where \(\textrm{HW}(\tilde{{\boldsymbol{y}}}) = w'\) and \({{\,\textrm{supp}\,}}(\tilde{{\boldsymbol{y}}})\cup \mathcal {J}= {{\,\textrm{supp}\,}}({\boldsymbol{y}})\). The remaining steps are equal to the modification of Stern’s algorithm presented in [4] and [12, Alg. 17] except that the set \(\mathcal {X}_2\) always contains \(\mathcal {L}_1 = \{l_0,\ldots ,l_{\lceil \iota /2\rceil -1}\}\) and the set \(\mathcal {Y}_2\) always contains \(\mathcal {L}_2 = \{l_{\lceil \iota /2\rceil },\ldots ,l_{\iota -1}\}\). By this choice of \(\mathcal {X}_2\) and \(\mathcal {Y}_2\), the syndrome decoding instance \(({\boldsymbol{H}},\tilde{{\boldsymbol{s}}},[{\boldsymbol{x}},\tilde{{\boldsymbol{y}}}])\) is transformed into the \((\bar{{\boldsymbol{H}}},\bar{{\boldsymbol{s}}},[{\boldsymbol{x}},\bar{{\boldsymbol{y}}}])\) instance of length \(n+n'\), dimension \(n'\) and error weight \(w+w'\), where \(\bar{{\boldsymbol{H}}}\in \mathbb {F}_2^{n'\times (n+n')}\), \(\bar{{\boldsymbol{s}}}\in \mathbb {F}_2^{n+n'} \), and \(\bar{{\boldsymbol{y}}}\in \mathbb {F}_2^{n'}\).
Such that an iteration of Stern’s algorithm can solve the \((\bar{{\boldsymbol{H}}},\bar{{\boldsymbol{s}}},[{\boldsymbol{x}},\bar{{\boldsymbol{y}}}])\) syndrome decoding instance, there must be exactly \(p_{\text { St}}\) error positions in both \(\mathcal {X}_1 \cup \mathcal {X}_2\) and \(\mathcal {Y}_1 \cup \mathcal {Y}_2\) and no error positions in \(\mathcal {Z}_1\) and \(\mathcal {Z}_2\). The probability that this event occurs is equal to \(P_{\text { St}}\), cf. [4] and [12, Thm. 4.9]. This implies that, on average, Lines 5 to 12 need to be executed \(1/P_{\text { St}}\), where each iteration has a complexity of \(\mathcal {W}_{\text { St,Iter}}\). \(\square \)
C C T-Test Result: Power Side-Channel of the RS Decoder
The t-test results used for identifying points of interest for building our oracle with the power side-channel of the RS decoder (Sect. 4.1) is shown in Fig. 4. The high t-values clearly indicate that both classes can be distinguished through this power side-channel. The shown samples correspond to the complete execution time of the error-locator polynomial computation implemented in the HQC-128 reference implementation.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Schamberger, T., Holzbaur, L., Renner, J., Wachter-Zeh, A., Sigl, G. (2022). A Power Side-Channel Attack on the Reed-Muller Reed-Solomon Version of the HQC Cryptosystem. In: Cheon, J.H., Johansson, T. (eds) Post-Quantum Cryptography. PQCrypto 2022. Lecture Notes in Computer Science, vol 13512. Springer, Cham. https://doi.org/10.1007/978-3-031-17234-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-17234-2_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17233-5
Online ISBN: 978-3-031-17234-2
eBook Packages: Computer ScienceComputer Science (R0)