A Timing Attack on the HQC Encryption Scheme

The HQC public-key encryption scheme is a promising code-based submission to NIST’s post-quantum cryptography standardization process. The scheme is based on the decisional decoding problem for random quasi-cyclic codes. One problem of the HQC’s reference implementation submitted to NIST in the first round of the standardization process is that the decryption operation is not constant-time. In particular, the decryption time depends on the number of errors decoded by a BCH decoder. We use this to present the first timing attack against HQC. The attack is practical, requiring the attacker to record the decryption time of around 400 million ciphertexts for a set of HQC parameters corresponding to 128 bits of security. This makes the use of constant-time decoders mandatory for the scheme to be considered secure.

[1]  Sujoy Sinha Roy,et al.  Constant-Time BCH Error-Correcting Code , 2020, 2020 IEEE International Symposium on Circuits and Systems (ISCAS).

[2]  Olivier Blazy,et al.  Hamming Quasi-Cyclic (HQC) , 2017 .

[3]  Pavol Zajac,et al.  A Reaction Attack on the QC-LDPC McEliece Cryptosystem , 2017, PQCrypto.

[4]  Nicolas Sendrier,et al.  Decoding One Out of Many , 2011, PQCrypto.

[5]  Elwyn R. Berlekamp,et al.  On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[6]  Frederik Vercauteren,et al.  Timing attacks on Error Correcting Codes in Post-Quantum Secure Schemes , 2019, IACR Cryptol. ePrint Arch..

[7]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[8]  Dingding Jia,et al.  LAC: Practical Ring-LWE Based Public-Key Encryption with Byte-Level Modulus , 2018, IACR Cryptol. ePrint Arch..

[9]  Mohammad Reza Aref,et al.  Squaring attacks on McEliece public-key cryptosystems using quasi-cyclic codes of even dimension , 2016, Des. Codes Cryptogr..

[10]  Eugene Prange,et al.  The use of information sets in decoding cyclic codes , 1962, IRE Trans. Inf. Theory.

[11]  Nicolas Sendrier,et al.  Analysis of Information Set Decoding for a Sub-linear Error Weight , 2016, PQCrypto.

[12]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[13]  Thomas Johansson,et al.  A New Algorithm for Solving Ring-LPN With a Reducible Polynomial , 2015, IEEE Transactions on Information Theory.

[14]  Philippe Gaborit,et al.  A Practicable Timing Attack Against HQC and its Countermeasure , 2019, IACR Cryptol. ePrint Arch..

[15]  Marco Baldi,et al.  QC-LDPC Code-Based Cryptosystems , 2014 .

[16]  Edward Eaton,et al.  QC-MDPC: A Timing Attack and a CCA2 KEM , 2018, IACR Cryptol. ePrint Arch..

[17]  L. Joiner,et al.  Decoding binary BCH codes , 1995, Proceedings IEEE Southeastcon '95. Visualize the Future.

[18]  Paulo S. L. M. Barreto,et al.  MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes , 2013, 2013 IEEE International Symposium on Information Theory.

[19]  Olivier Blazy,et al.  Efficient Encryption From Random Quasi-Cyclic Codes , 2016, IEEE Transactions on Information Theory.

[20]  Philippe Gaborit,et al.  Preventing Timing Attacks Against RQC Using Constant Time Decoding of Gabidulin Codes , 2019, PQCrypto.

[21]  Thomas Johansson,et al.  A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors , 2016, ASIACRYPT.

[22]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.