## No full-text available

To read the full-text of this research,

you can request a copy directly from the authors.

Article

This paper presents horizontal and vertical side channel analysis techniques for an implementation of the McEliece cryptosystem. The target of this side-channel attack is a state-of-the-art field-programmable gate array (FPGA) implementation of the efficient quasi-cyclic moderate-density parity-check McEliece decryption operation, as presented at Design, Automation and Test in Europe (DATE) 2014. The presented cryptanalysis succeeds to recover the complete secret key after a few observed decryptions. It consists of a combination of a differential leakage analysis during the syndrome computation followed by an algebraic step that exploits the relation between the public key and the private key.

To read the full-text of this research,

you can request a copy directly from the authors.

... Power analysis (PA) has especially been employed to compromise the security of different crypto-systems running on a computing platform. Examples include secret key recovery from elliptic-curve cryptography (ECC) running on iOS and Android devices [1] and McEliece cryptosystem implemented on FPGA [2], attacks on Xilinx bitstream encryption [3], recovering the secret key of postquantum key exchange protocols [4], [5], key recovery of Advanced Encryption Standard (AES) [6], symmetric encryption systems [7], [8] and breaking the security of smart cards [9]. ...

... The architecture of the MLP used in this work is shown in Fig. 6 To facilitate training of the MLP, the input power features are normalized over all measurements. Let c (2) j , j = 1, 2, · · · , S denote the power features, extracted at the toplayer encoder cell of the auto-encoder in Fig. 5, correspond-ing to S power measurements. The input to the MLP is theñ ...

... Processing of power traces as in Fig. 7 is similar to the horizontal attacks of [2], [4] in which similar patterns of power consumption through time, corresponding to the same key subset, are analyzed to recover the key. However, in the SCAUL attack on AES, the power traces correspond to different key subsets. ...

Existing power analysis techniques rely on strong adversary models with prior knowledge of the leakage or training data. We introduce side-channel analysis with unsupervised learning (SCAUL) that can recover the secret key without requiring prior knowledge or profiling (training). We employ an LSTM auto-encoder to extract features from power traces with high mutual information with the data-dependent samples of the measurements. We demonstrate that by replacing the raw measurements with the auto-encoder features in a classical DPA attack, the efficiency, in terms of required number of measurements for key recovery, improves by 10X. Further, we employ these features to identify a leakage model with sensitivity analysis and multi-layer perceptron (MLP) networks. SCAUL uses the auto-encoder features and the leakage model, obtained in an unsupervised approach, to find the correct key. On a lightweight implementation of AES on Artix-7 FPGA, we show that SCAUL is able to recover the correct key with 3700 power measurements with random plaintexts, while a DPA attack requires at least 17400 measurements. Using misaligned traces, with an uncertainty equal to 20\% of the hardware clock cycle, SCAUL is able to recover the secret key with 12300 measurements while the DPA attack fails to detect the key.

... A single trace is used as a side-channel on PQC lattice-based encryption schemes to perform key recovery [25]. Power side-channels on FPGA implementations of McEliece PQC was shown in [45]. Differential power side-channels were revealed in PQC XMSS and SPHINCS [46]. ...

NIST is standardizing Post Quantum Cryptography (PQC) algorithms that are resilient to the computational capability of quantum computers. Past works show malicious subversion with cryptographic software (algorithm subversion attacks) that weaken the implementations. We show that PQC digital signature codes can be subverted in line with previously reported flawed implementations that generate verifiable, but less-secure signatures, demonstrating the risk of such attacks. Since, all processors have built-in Hardware Performance Counters (HPCs), there exists a body of work proposing a low-cost Machine Learning (ML)-based integrity checking of software using HPC fingerprints. However, such HPC-based approaches may not detect subversion of PQC codes. A miniscule percentage of qualitative inputs when applied to the PQC codes improve this accuracy to 98%. We propose grey-box fuzzing as a pre-processing step to obtain inputs to aid the HPC-based method.

... Fault attacks on the variables used during encryption by McEliece and Niederreiter schemes are examined in [10]. A Differential Power Analysis (DPA) attack is presented in [11] that recovers the secret key of a QC-MDPC McEliece FPGA implementation by measuring the leakage of the carry occurring during the key rotation operation. A similar attack on a software implementation is presented in [15], using the detection of counter overflows. ...

This paper presents an attack based on side-channel information and (ISD) on the code-based Niederreiter cryptosystem and an evaluation of the practicality of the attack using an electromagnetic side channel. We start by directly adapting the timing side-channel plaintext-recovery attack by Shoufan et al. from 2010 to the constant-time implementation of the Niederreiter cryptosystem as used in the official FPGA-implementation of the NIST finalist “Classic McEliece”. We then enhance our attack using ISD and a new technique that we call iterative chunking to further significantly reduce the number of required side-channel measurements. We theoretically show that our attack improvements have a significant impact on reducing the number of required side-channel measurements. For example, for the 256-bit security parameter set kem/mceliece6960119 of “Classic McEliece”, we improve the basic attack that requires 5415 measurements to less than 562 measurements on average to mount a successful plaintext-recovery attack. Further reductions can be achieved at the price of increasing the cost of the ISD computations. We confirm our findings by practically mounting the attack on the official FPGA-implementation of “Classic McEliece” for all proposed parameter sets.

... Some side-channel attacks have been attempted on the McEliece cryptosystem using QC-MDPC codes [26,27]. Side-channel attacks try to gain information by measuring time (time analysis attacks) or power usage (power analysis attacks) differences in performed calculations in the encryption or decryption process. ...

The purpose of this thesis is to examine if Quasi-Cyclic Moderate-Density Parity-Check (QC-MDPC) codes is a good family of error-correcting codes to replace Goppa codes in the McEliece cryptosystem. This cryptosystem is one of a few cryptosystems which are thought to be secure against all-purpose quantum computers. These quantum computers are able to exploit properties from its core components, the quantum bits, to solve some of the hardest mathematical problems. However, these problems grant current day encryptions its security. Robert McEliece proposed a cryptosystem based on techniques used in coding theory. Despite allowing for the rapid encryption and decryption of messages, storage of the users’ cryptographic key requires a large amount of memory, making its use impractical. Many have proposed changes to decrease the size of the key, but all these propositions have led to either a security breach or were found inefficient. QC-MDPC codes has the advantage that storage of its cryptographic key requires significantly less memory. This study shows that, like a lot of other families of codes, QC-MDPC codes are also vulnerable to a cryptanalytic attack which excludes them from being a candidate to replace the originally proposed Goppa codes.

... [15] implements a lightweight MDPC-McEliece on FPGAs by sequentially manipulating cyclic rotations of the private key in block RAMs. This work is found to be vulnerable to differential power analysis attacks [16], [17] in 2015. [18] introduces mask operations to large keys as a countermeasure against differential power analysis. ...

In this paper, we present a fast implementation for QC-MDPC Niederreiter encryption. Existing high-speed implementations are considerably resource involving but the solution we propose here mitigates such situation while maintaining the high throughputs. In particular, new arithmetic for lightweight Hamming weight computation and a fast sorting network for MDPC decoding are proposed. A novel constant weight coding unit is proposed to enable standard asymmetric encryptions. For now, the design presented in this work is the fastest one of existing QC-MDPC code based encryptions in the public domain. The area-time product of this work drops by at least 53% compared to previous fast speed designs of QC-MDPC based encryptions. It is shown for instance that our implementation of encrypting engine can sign one encryption in 3.86 s on a Xilinx Virtex-6 FPGA with 3371 slices. Our iterative decrypting engine can decrypt one ciphertext in 114.64 s with 5271 slices and our faster non-iterative decrypting engine can decrypt in 65.76 s with 8781 slices.

We present a novel code-based signature scheme called modified pqsigRM. This scheme is based on a modified Reed-Muller (RM) code, which reduces the signing complexity and key size compared with existing code-based signature schemes. In fact, it strengthens pqsigRM submitted to NIST for post-quantum cryptography standardization. The proposed scheme has the advantage of the pqsigRM decoder and uses public codes that are more difficult to distinguish from random codes. We use (U, U + V)-codes with the high-dimensional hull to overcome the disadvantages of code-based schemes. The proposed decoder samples from coset elements with small Hamming weight for any given syndrome and efficiently finds such an element. Using a modified RM code, the proposed signature scheme resists various known attacks on RM-code-based cryptography. For 128 bits of classical security, the signature size is 4096 bits, and the public key size is less than 1 MB.

Existing power analysis techniques rely on strong adversary models with prior knowledge of the leakage or training data. We introduce side-channel analysis with unsupervised learning (SCAUL) that can recover the secret key without requiring prior knowledge or profiling (training). We employ an LSTM auto-encoder to extract features from power traces with high mutual information with the data-dependent samples of the measurements. We demonstrate that by replacing the raw measurements with the auto-encoder features in a classical DPA attack, the efficiency, in terms of required number of measurements for key recovery, improves by 10X. Further, we employ these features to identify a leakage model with sensitivity analysis and multi-layer perceptron (MLP) networks. SCAUL uses the auto-encoder features and the leakage model, obtained in an unsupervised approach, to find the correct key. On a lightweight implementation of AES on Artix-7 FPGA, we show that SCAUL is able to recover the correct key with 3,700 power measurements with random plaintexts, while a DPA attack requires at least 17,400 measurements. Using misaligned traces, with an uncertainty equal to 20% of the hardware clock cycle, SCAUL is able to recover the secret key with 12,300 measurements while the DPA attack fails to detect the key.

Nowadays public-key cryptography is based on number theory problems, such as computing the discrete logarithm on an elliptic curve or factoring big integers. Even though these problems are considered difficult to solve with the help of a classical computer, they can be solved in polynomial time on a quantum computer. Which is why the research community proposed alternative solutions that are quantum-resistant. The process of finding adequate post-quantum cryptographic schemes has moved to the next level, right after NIST's announcement for post-quantum standardization.
One of the oldest quantum-resistant proposition goes back to McEliece in 1978, who proposed a public-key cryptosystem based on coding theory. It benefits of really efficient algorithms as well as a strong mathematical background. Nonetheless, its security has been challenged many times and several variants were cryptanalyzed. However, some versions remain unbroken.
In this paper, we propose to give some background on coding theory in order to present some of the main flawless in the protocols. We analyze the existing side-channel attacks and give some recommendations on how to securely implement the most suitable variants. We also detail some structural attacks and potential drawbacks for new variants.

The McEliece public key cryptosystem (PKC) is regarded as secure in the presence of quantum computers because no efficient
quantum algorithm is known for the underlying problems, which this cryptosystem is built upon. As we show in this paper, a
straightforward implementation of this system may feature several side channels. Specifically, we present a Timing Attack
which was executed successfully against a software implementation of the McEliece PKC. Furthermore, the critical system components
for key generation and decryption are inspected to identify channels enabling power and cache attacks. Implementation aspects
are proposed as countermeasures to face these attacks.

With respect to performance, asymmetric code-based cryptography based on binary Goppa codes has been reported as a highly interesting alternative to RSA and ECC. A major drawback is still the large keys in the range between 50 and 100KB that prevented real-world applications of code-based cryptosystems so far. A recent proposal by Misoczki et al. showed that quasi-cyclic moderate-density parity-check (QC-MDPC) codes can be used in McEliece encryption, reducing the public key to just 0.6KB to achieve an 80-bit security level. In this article, we provide optimized decoding techniques for MDPC codes and survey several efficient implementations of the QC-MDPC McEliece cryptosystem. This includes high-speed and lightweight architectures for reconfigurable hardware, efficient coding styles for ARM's Cortex-M4 microcontroller, and novel high-performance software implementations that fully employ vector instructions. Finally, we conclude that McEliece encryption in combination with QC-MDPC codes not only enables high-performance implementations but also allows for lightweight designs on a wide range of different platforms.

A very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic ( \(\mathrm{QC}\) ), quasi-dyadic ( \(\mathrm{QD}\) ), or quasi-monoidic ( \(\mathrm{QM}\) ) matrices. We show that the very same reason which allows to construct a compact public-key makes the key-recovery problem intrinsically much easier. The gain on the public-key size induces an important security drop, which is as large as the compression factor \(p\) on the public-key. The fundamental remark is that from the \(k\times n\) public generator matrix of a compact McEliece, one can construct a \(k/p \times n/p\) generator matrix which is—from an attacker point of view—as good as the initial public-key. We call this new smaller code the folded code. Any key-recovery attack can be deployed equivalently on this smaller generator matrix. To mount the key-recovery in practice, we also improve the algebraic technique of Faugère, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe a so-called “structural elimination” which is a new algebraic manipulation which simplifies the key-recovery system. As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature. All the parameters of CFS-signatures based on \(\mathrm{QD}\) / \(\mathrm{QM}\) codes that have been proposed can be broken by this approach. In most cases, our attack takes few seconds (the hardest case requires less than 2 h). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against several cryptographic challenges proposed for \(\mathrm{QD}\) and \(\mathrm{QM}\) encryption schemes. We mention that some parameters that have been proposed in the literature remain out of reach of the methods given here. However, regardless of the key-recovery attack used against the folded code, there is an inherent weakness arising from Goppa codes with \(\mathrm{QM}\) or \(\mathrm{QD}\) symmetries. Indeed, the security of such schemes is not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters.

The main practical limitation of the McEliece public-key encryption scheme is
probably the size of its key. A famous trend to overcome this issue is to focus
on subclasses of alternant/Goppa codes with a non trivial automorphism group.
Such codes display then symmetries allowing compact parity-check or generator
matrices. For instance, a key-reduction is obtained by taking quasi-cyclic (QC)
or quasi-dyadic (QD) alternant/Goppa codes. We show that the use of such
symmetric alternant/Goppa codes in cryptography introduces a fundamental
weakness. It is indeed possible to reduce the key-recovery on the original
symmetric public-code to the key-recovery on a (much) smaller code that has not
anymore symmetries. This result is obtained thanks to a new operation on codes
called folding that exploits the knowledge of the automorphism group. This
operation consists in adding the coordinates of codewords which belong to the
same orbit under the action of the automorphism group. The advantage is
twofold: the reduction factor can be as large as the size of the orbits, and it
preserves a fundamental property: folding the dual of an alternant (resp.
Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point
is to show that all the existing constructions of alternant/Goppa codes with
symmetries follow a common principal of taking codes whose support is globally
invariant under the action of affine transformations (by building upon prior
works of T. Berger and A. D{\"{u}}r). This enables not only to present a
unified view but also to generalize the construction of QC, QD and even
quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to
boost up any key-recovery attack on McEliece systems based on symmetric
alternant or Goppa codes, and in particular algebraic attacks.

Together with masking, shuffling is one of the most frequently considered solutions to improve the security of small embedded devices against side-channel attacks. In this paper, we provide a comprehensive study of this countermeasure, including improved implementations and a careful information theoretic and security analysis of its different variants. Our analyses lead to important conclusions as they moderate the strong security improvements claimed in previous works. They suggest that simplified versions of shuffling (e.g. using random start indexes) can be significantly weaker than their counterpart using full permutations. We further show with an experimental case study that such simplified versions can be as easy to attack as unprotected implementations. We finally exhibit the existence of "indirect leakages" in shuffled implementations that can be exploited due to the different leakage models of the different resources used in cryptographic implementations. This suggests the design of fully shuffled (and efficient) implementations, were both the execution order of the instructions and the physical resources used are randomized, as an interesting scope for further research.

In this work, we propose two McEliece variants: one from Moderate Density Parity-Check (MDPC) codes and another from quasi-cyclic MDPC codes. MDPC codes are LDPC codes of higher density (and worse error-correction capability) than what is usually adopted for telecommunication applications. However, in cryptography we are not necessarily interested in correcting many errors, but only a number which ensures an adequate security level. By this approach, we reduce under certain hypotheses the security of the scheme to the well studied decoding problem. Furthermore, the quasi-cyclic variant provides extremely compact-keys (for 80-bits of security, public-keys have only 4801 bits).

Since the introduction of side-channel attacks in the nineties, RSA implementations have been a privileged target. A wide variety of countermeasures have been proposed and most of practical attacks are nowadays efficiently defeated by them. However, in a recent work published at ICICS 2010, Clavier et al.have pointed out that almost all the existing countermeasures were ineffective if the attacks are performed with a modus operandi called Horizontal. Such attacks, originally introduced by Colin Walter at CHES 2001, involve a single observation trace contrary to the classical attacks where several ones are required. To defeat Horizontal attacks, the authors of the ICICS paper have proposed a set of new countermeasures. In this paper, we introduce a general framework enabling to model both Horizontal and classical attacks (called Vertical) in a simple way. This framework enables to enlighten the similarities and the differences of those attack types. From this formalism, we show that even if Clavier et al.'s countermeasures thwart existing attacks, they do not fully solve the leakage issue. Actually, flaws are exhibited in this paper and efficient attacks are devised. We eventually propose a new countermeasure.

We describe a family of highly efficient codes for cryptographic purposes and
dedicated algorithms for their manipulation. Our proposal is especially
tailored for highly constrained platforms, and surpasses certain conventional
and post-quantum proposals (like RSA and NTRU, respectively) according to most
if not all efficiency metrics.

Research within “post-quantum” cryptography has focused on development of schemes that resist quantum cryptanalysis. However,
if such schemes are to be deployed, practical questions of efficiency and physical security should also be addressed; this
is particularly important for embedded systems. To this end, we investigate issues relating to side-channel attack against
the McEliece and Niederreiter public-key cryptosystems, for example improving those presented by Strenzke etal. (Side channels
in the McEliece PKC, vol. 5299, pp. 216–229, 2008), and novel countermeasures against such attack.
KeywordsPublic-key cryptography–McEliece–Niederreiter–Embedded systems–Side-channel attack

In this paper we propose a new approach to investigate the security of the McEliece cryptosystem. We recall that this cryptosystem relies on the use of error-correcting codes. Since its invention thirty years ago, no ecient attack had been devised that managed to recover the private key. We prove that the private key of the cryptosystem satises a system of bi-homogeneous polynomial equations. This property is due to the particular class of codes considered which are alternant codes. We have used these highly structured algebraic equations to mount an ecient key-recovery attack against two recent variants of the McEliece cryptosystems that aim at reducing public key sizes. These two compact variants of McEliece managed to propose keys with less than 20,000 bits. To do so, they proposed to use quasi-cyclic or dyadic structures. An implementation of our algebraic attack in the computer algebra system Magma allows to nd the secret-key in a negligible time (less than one second) for almost all the proposed challenges. For instance, a private key designed for a 256-bit security has been found in 0.06 seconds with about 2 17:8 operations.

In this paper, we formally prove that padding the plaintext with a random bit-string provides the semantic security against chosen plaintext attack (IND-CPA) for the McEliece (and its dual, the Nieder- reiter's) cryptosystems under the standard assumptions. Such padding has recently been used by Suzuki, Imai and Kobara in the context of RFID security. Our proof relies on the technical result by Katz and Shin from Eurocrypt '05 showing "pseudorandomness" implied by learning parity checks with noise (LPN) problem. We do not need the random oracles as opposed to the known conversions, while the recent ones provide stronger protection (as compared to our scheme) - against adaptive chosen ciphertext attack (IND-CCA2). In order to show that the padded version of the cryptosystem remains practical, we provide the estimates for suitable key size together with corresponding work required for successful attack.

This work presents the first differential power analysis of an implementation of the McEliece cryptosystem. Target of this side-channel attack is a state-of-the-art FPGA implementation of the efficient QC-MDPC McEliece decryption operation as presented at DATE 2014. The presented cryptanalysis succeeds to recover the complete secret key after a few observed decryptions. It consists of a combination of a differential leakage analysis during the syndrome computation followed by an algebraic step that exploits the relation between the public and private key.

Instantiations of the McEliece cryptosystem which are considered computationally secure even in a post-quantum era still require hardening against side channel attacks for practical applications. Recently, the first differential power analysis attack on a McEliece cryptosystem successfully recovered the full secret key of a state-of-the-art FPGA implementation of QC-MDPC McEliece. In this work we show how to apply masking countermeasures to the scheme and present the first masked FPGA implementation that includes these countermeasures. We validate the side channel resistance of our design by practical DPA attacks and statistical tests for leakage detection.

Recent advances in code-based cryptography paved new ways for efficient asymmetric cryptosystems that combine decent performance with moderate key sizes. In this context, Misoczki et al. recently proposed the use of quasi-cyclic MDPC (QC-MDPC) codes for the McEliece cryptosystem. It was shown that these codes can provide both compact key representations and solid performance on high-end computing platforms. However, for widely used low-end microcontrollers only slow implementations for this promising construction have been presented so far.
In this work we present an implementation of QC-MDPC McEliece encryption providing 80 bits of equivalent symmetric security on low-cost ARM Cortex-M4-based microcontrollers with a reasonable performance of 42ms for encryption and 251-558ms for decryption. Besides practical issues such as random error generation, we demonstrate side-channel attacks on a straightforward implementation of this scheme and finally propose timing- and instruction-invariant coding strategies and countermeasures to strengthen it against timing attacks as well as simple power analysis.

A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems which are generally thought to be hard on a classical computer and which have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, e.g., the number of digits of the integer to be factored.

With the break of RSA and ECC cryptosystems in an era of quantum computing, asymmetric code-based cryptography is an established alternative that can be a potential replacement. A major drawback are large keys in the range between 50kByte to several MByte that prevented real-world applications of code-based cryptosystems so far. A recent proposal by Misoczki et al. showed that quasi-cyclic moderate density parity-check (QC-MDPC) codes can be used in McEliece encryption - reducing the public key to just 0.6 kByte to achieve a 80-bit security level. Despite of reasonably small key sizes that could also enable small designs, previous work only report highperformance implementations with high resource consumptions of more than 13,000 slices on a large Xilinx Virtex-6 FPGA for a combined en-/decryption unit. In this work we focus on lightweight implementations of code-based cryptography and demonstrate that McEliece encryption using QC-MDPC codes can be implemented with a significantly smaller resource footprint - still achieving reasonable performance sufficient for many applications, e.g., challenge-response protocols or hybrid firmware encryption. More precisely, our design requires just 68 slices for the encryption and around 150 slices for the decryption unit and is able to en-/decrypt an input block in 2.2ms and 13.4 ms, respectively.

In the last years code-based cryptosystems were established as promising alternatives for asymmetric cryptography since they base their security on well-known NP-hard problems and still show decent performance on a wide range of computing platforms. The main drawback of code-based schemes, including the popular proposals by McEliece and Niederreiter, are the large keys whose size is inherently determined by the underlying code. In a very recent approach, Misoczki et al. proposed to use quasi-cyclic MDPC (QC-MDPC) codes that allow for a very compact key representation. In this work, we investigate novel implementations of the McEliece scheme using such QC-MDPC codes tailored for embedded devices, namely a Xilinx Virtex-6 FPGA and an 8-bit AVR microcontroller. In particular, we evaluate and improve different approaches to decode QC-MDPC codes. Besides competitive performance for encryption and decryption on the FPGA, we achieved a very compact implementation on the microcontroller using only 4,800 and 9,600 bits for the public and secret key at 80 bits of equivalent symmetric security.

Preface 1. Basic concepts of linear codes 2. Bounds on size of codes 3. Finite fields 4. Cyclic codes 5. BCH and Reed-Soloman codes 6. Duadic codes 7. Weight distributions 8. Designs 9. Self-dual codes 10. Some favourite self-dual codes 11. Covering radius and cosets 12. Codes over Z4 13. Codes from algebraic geometry 14. Convolutional codes 15. Soft decision and iterative decoding Bibliography Index.

In order to protect software implementations of secret-key cryptographic primitives against side channel attacks, a software
developer has only a limited choice of countermeasures. A combination of masking and randomization of operations in time promises
good protection and can be realized without too much overhead. Recently, new advanced DPA methods have been proposed to attack
software implementations with such kind of protection. In this work, we have applied these methods successfully to break a
protected AES software implementation on a programmable smart card. Thus, we were able to verify the practicality of the new
attacks and to estimate their effectiveness in comparison to traditional DPA attacks on unprotected implementations. In the
course of our work, we have also refined and improved the original attacks, so that they can be mounted more efficiently.
Our practical results indicate that the effort required for attacking the protected implementation with the examined methods
is more than two orders of magnitude higher compared to an attack on an unprotected implementation.

Almost all of the current public-key cryptosystems (PKCs) are based on number theory, such as the integer factoring problem and the discrete logarithm problem (which will be solved in polynomial-time after the emergence of quantum computers). While the McEliece PKC is based on another theory, i.e. coding theory, it is vulnerable against several practical attacks. In this paper, we carefully review currently known attacks to the McEliece PKC, and then point out that, without any decryption oracles or any partial knowledge on the plaintext of the challenge ciphertext, no polynomial-time algorithm is known for invert- ing the McEliece PKC whose parameters are carefully chosen. Under the assumption that this inverting problem is hard, we propose slightly mod- ified versions of McEliece PKC that can be proven, in the random oracle model, to be semantically secure against adaptive chosen-ciphertext at- tacks. Our conversions can achieve the reduction of the redundant data down to 1/3 ∼ 1/4 compared with the generic conversions for practical parameters.

The McEliece public-key cryptosystem is based on the fact that decoding unknown linear binary codes is an NP-complete problem.
The interest on implementing post-quantum cryptographic algorithms, e.g. McEliece, on microprocessor-based platforms has been
extremely raised due to the increasing storage space of these platforms. Therefore, their vulnerability and robustness against
physical attacks, e.g., state-of-the-art power analysis attacks, must be investigated. In this work, we address mainly two
power analysis attacks on various implementations of McEliece on an 8-bit AVR microprocessor. To the best of our knowledge,
this is the first time that such side-channel attacks are practically evaluated.

In this work we present a novel timing attack against the McEliece public key cryptosystem (PKC). In contrast to former works
investigating timing attacks that aim at recovering the message, we devise how to exploit a vulnerability in the Patterson
algorithm that allows the attacker to gather information about the secret permutation through a timing side channel. This
information can be used to dramatically reduce the cost of a brute force attack against the secret key. We also describe the
results obtained from a proof of concept implementation of the attack and give an appropriate countermeasure.

The security of McEliece public-key cryptosystem is based on the difficulty of the decoding problem which is NP-hard. In this
paper we propose a timing attack on the Patterson Algorithm, which is used for efficient decoding in Goppa codes. The attack
is based on the relation between the error vector weight and the iteration number of the extended Euclidean algorithm used
in Patterson Algorithm. This attack enables the extraction of the secret error vector with minimal overhead. A countermeasure
is proposed and verified for a FPGA implementation.

Power analysis attacks allow the extraction of secret information from smart cards. Smart cards are used in many applications including banking, mobile communications, pay TV, and electronic signatures. In all these applications, the security of the smart cards is of crucial importance. Power Analysis Attacks: Revealing the Secrets of Smart Cards is the first comprehensive treatment of power analysis attacks and countermeasures. Based on the principle that the only way to defend against power analysis attacks is to understand them, this book explains how power analysis attacks work. Using many examples, it discusses simple and differential power analysis as well as advanced techniques like template attacks. Furthermore, this volume provides an extensive discussion of countermeasures like shuffling, masking, and DPA-resistant logic styles. By analyzing the pros and cons of the different countermeasures, Power Analysis Attacks: Revealing the Secrets of Smart Cards allows practitioners to decide how to protect smart cards. This book also provides valuable information for graduate and advanced undergraduate students, and researchers working in information security. © 2007 Springer Science+Business Media, LLC. All rights reserved.

The power consumed by a circuit varies according to the activity of its individual transistors and other components. As a
result, measurements of the power used by actual computers or microchips contain information about the operations being performed
and the data being processed. Cryptographic designs have traditionally assumed that secrets are manipulated in environments
that expose no information beyond the specified inputs and outputs. This paper examines how information leaked through power
consumption and other side channels can be analyzed to extract secret keys from a wide range of devices. The attacks are practical,
non-invasive, and highly effective—even against complex and noisy systems where cryptographic computations account for only
a small fraction of the overall power consumption. We also introduce approaches for preventing DPA attacks and for building
cryptosystems that remain secure even when implemented in hardware that leaks.

In the rst of two papers on Magma, a new system for computational algebra, we present the Magma language, outline the design principles and theoretical background, and indicate its scope and use. Particular attention is given to the constructors for structures, maps, and sets. c 1997 Academic Press Limited Magma is a new software system for computational algebra, the design of which is based on the twin concepts of algebraic structure and morphism. The design is intended to provide a mathematically rigorous environment for computing with algebraic struc- tures (groups, rings, elds, modules and algebras), geometric structures (varieties, special curves) and combinatorial structures (graphs, designs and codes). The philosophy underlying the design of Magma is based on concepts from Universal Algebra and Category Theory. Key ideas from these two areas provide the basis for a gen- eral scheme for the specication and representation of mathematical structures. The user language includes three important groups of constructors that realize the philosophy in syntactic terms: structure constructors, map constructors and set constructors. The util- ity of Magma as a mathematical tool derives from the combination of its language with an extensive kernel of highly ecient C implementations of the fundamental algorithms for most branches of computational algebra. In this paper we outline the philosophy of the Magma design and show how it may be used to develop an algebraic programming paradigm for language design. In a second paper we will show how our design philoso- phy allows us to realize natural computational \environments" for dierent branches of algebra. An early discussion of the design of Magma may be found in Butler and Cannon (1989, 1990). A terse overview of the language together with a discussion of some of the implementation issues may be found in Bosma et al. (1994).

A public-key cryptosystem which appears quite secure while at the same time allowing extremely rapid data rates, is constructed for use in multi-user communication networks, such as those envisioned by NASA for the distribution of space-acquired data.

A low-density parity-check code is a code specified by a parity-check matrix with the following properties: each column contains a small fixed number j geq 3 of l's and each row contains a small fixed number k > j of l's. The typical minimum distance of these codes increases linearly with block length for a fixed rate and fixed j . When used with maximum likelihood decoding on a sufficiently quiet binary-input symmetric channel, the typical probability of decoding error decreases exponentially with block length for a fixed rate and fixed j . A simple but nonoptimum decoding scheme operating directly from the channel a posteriori probabilities is described. Both the equipment complexity and the data-handling capacity in bits per second of this decoder increase approximately linearly with block length. For j > 3 and a sufficiently low rate, the probability of error using this decoder on a binary symmetric channel is shown to decrease at least exponentially with a root of the block length. Some experimental results show that the actual probability of decoding error is much smaller than this theoretical bound.

MEMBER, IEEE, AND HENK C. A. V~ TILBORG The fact that the general decoding problem for linear codes and the general problem of finding the weights of a linear code are both NP-complete is shown. This strongly suggests, but does not rigorously imply, that no algorithm for either of these problems which runs in polynomial time exists.

. Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information. Keywords: differential power analysis, DPA, SPA, cryptanalysis, DES 1 Background Attacks that involvemultiple parts of a security system are difficult to predict and model. If cipher designers, software developers, and hardware engineers do not understand or review each other's work, security assumptions made at each level of a system's design may be incomplete or unrealistic. As a result, security faults often involveunanticipated interactions between components designed by different people. Manytechniques ...

The author advocates two specific mathematical notations from his popular course and joint textbook, "Concrete Mathematics". The first of these, extending an idea of Iverson, is the notation "[P]" for the function which is 1 when the Boolean condition P is true and 0 otherwise. This notation can encourage and clarify the use of characteristic functions and Kronecker deltas in sums and integrals. The second notation puts Stirling numbers on the same footing as binomial coefficients. Since binomial coefficients are written on two lines in parentheses and read "n choose k", Stirling numbers of the first kind should be written on two lines in brackets and read "n cycle k", while Stirling numbers of the second kind should be written in braces and read "n subset k". (I might say "n partition k".) The written form was first suggested by Imanuel Marx. The virtues of this notation are that Stirling partition numbers frequently appear in combinatorics, and that it more clearly presents functional relations similar to those satisfied by binomial coefficients.

The myth of generic DPA

- C Whitnall
- E Oswald
- F.-X Standaert
- J Benaloh