INTERNATIONAL JOURNAL OF COMPUTERS COMMUNICATIONS & CONTROL ISSN 1841-9836, 12(1):7-25, February 2017. Improved Timing Attacks against the Secret Permutation in the McEliece PKC D. Bucerzan, P.L. Cayrel, V. Dragoi, T. Richmond Dominic Bucerzan* Aurel Vlaicu University of Arad Department of Mathematics and Computer Science Romania, 310330 Arad, Elena Dragoi, 2 Corresponding author:dominic@bbcomputer.ro Pierre-Louis Cayrel Laboratoire Hubert Curien, UMR CNRS 5516, Université de Lyon, Saint-Etienne, France pierre.louis.cayrel@univ-st-etienne.fr Vlad Dragoi Laboratoire LITIS - EA 4108 Université de Rouen - UFR Sciences et Techniques, 76800 Saint Etienne du Rouvray, France vlad.dragoi1@univ-rouen.fr Tania Richmond Laboratoire IMATH, EA 2134, Avenue de l’Université , BP 20132, 83957 La Garde Cedex, France tania.richmond@univ-tln.fr Abstract: In this paper, we detail two side-channel attacks against the McEliece public-key cryptosystem. They are exploiting timing differences on the Patterson decoding algorithm in order to reveal one part of the secret key: the support permu- tation. The first one is improving two existing timing attacks and uses the correlation between two different steps of the decoding algorithm. This improvement can be deployed on all error-vectors with Hamming weight smaller than a quarter of the minimum distance of the code. The second attack targets the evaluation of the error locator polynomial and succeeds on several different decoding algorithms. We also give an appropriate countermeasure. Keywords: communication systems, theory of error correcting codes, code-based cryptography, McEliece PKC, side-channel attacks, timing attack, extended Euclidean algorithm. 1 Introduction In the history of cryptography public key schemes are quite recent. In the classic era both encryption and decryption algorithms are symmetric, that is why having access to the keys gives a total control on both encryption and decryption steps. These types of schemes are called symmetric cryptosystem and are still widely used. Nonetheless several security properties can hardly be achieved with the use of symmetric cryptography. That is the main reason public key cryptography appeared. The first public key cryptosystem was invented by Diffie and Hellman [5]. But despite the fact that public key schemes are rather new, they are widely spread in practice. Moreover there are few constructions to be used in practice and they are all based on number theory problems, more exactly the hardness of factoring and discrete logarithm problem. But this is rather concerning since there is little theoretical support indicating that these problems are indeed hard. One of the main threats for these schemes is the arrival of the quantum computer. Peter Shor has shown that both computation of discrete logarithm and factoring problem can be done in polynomial time on a quantum machine [13]. In reaction to this thread, several solutions have been proposed, such as hash-based cryp- tography, code-based cryptography, lattice-based cryptography, and multivariate cryptography. The new facts concerning the post-quantum cryptography are well discussed in [2]. Code-based cryptosystems were introduced in 1978 by Robert J. McEliece [8]. But many variants were at- tacked and partially or totally broken. Up to now, none of the proposed variants seemed as Copyright © 2006-2017 by CCC Publications 8 D. Bucerzan, P.L. Cayrel, V. Dragoi, T. Richmond strong and secure as the original McEliece public-key cryptosystem (PKC) using Goppa codes. Structural attacks managed to reveal the secret key and totally break variants that used the generalized Reed-Solomon codes [15] or QC-LDPC codes [10] and many other variants. As the Goppa codes still resist to structural attacks, they present a real interest in our approach. So we focus our attention on the cryptanalysis of the McEliece PKC using Goppa codes. More exactly on the side-channel attacks using time differences between two executions of the same task. The interest of timing attacks is both practical and theoretical: we avoid unsecured implementations and discover new attacks succeeding in a polynomial time. The main purpose of these type of attacks is to reveal a part of the secret key and a breaking point of an algorithm. The authors of such exploits usually end up by giving the necessary countermeasures and the secure variant of the algorithms. In the case of the McEliece PKC using Goppa codes, most of the timing attacks were dis- covered since 2008. Falko Strenzke’s articles mention several weak points mostly situated in the decoding algorithm [14, 16, 18, 19]. Some of these can be repaired by an intelligent and cau- tious way of the programming manner where countermeasures were proposed in [1, 3, 19]. All of the mentioned attacks were realised on a McEliece PKC implementation using the Patterson algorithm (cf. Fig. 1) for decoding Goppa codes. The number of error corrections in the Patter- son algorithm is bounded: up to t errors can be corrected, where t is the degree of the Goppa polynomial. Our contribution is to reveal a new timing attack against the error-locator polynomial (ELP) evaluation and to improve two existing attacks. In our new version of the two existing attacks combined, we detail how the relation between the two attacks is crucial in order to avoid eventual errors. The attacks are executed on the extended Euclidean algorithm (EEA) and exploit the number of iterations. As the authors mentioned, the initial attacks are limited and may not allow the total break of the permutation. This limit is situated in the number of equations detected by their attack. We will use a new relation between the number of iterations in the two steps in order to expand the system and to fully determine the secret permutation. We will also give a single countermeasure, which is efficient to all types of attacks exploiting the EEA in this particular manner. The second contribution is in giving a new timing attack against the ELP evaluation. The importance of this new attack is that it operates on the polynomial evaluation, applied in several decoding algorithms as the Patterson algorithm, Berlekamp-Massey algorithm or any general decoder for alternant codes. We will show that this attacks succeeds on several variants of the polynomial evaluation. 2 Background For all the necessary background on coding theory we address the reader to any book in this field, for example [7]. Nevertheless we give here the details concerning binary Goppa codes. 2.1 Goppa codes Definitions and Properties We will focus exclusively on binary Goppa codes in this paper, but it is easy to generalize our results to q-ary codes: -Goppa polynomial: g(x) is a polynomial over F2m[x] with deg(g) = t. -Goppa support: L = {α0,α1, ..,αn−1} subset of F2m s.t. g(αi) 6= 0. The syndrome polynomial associated to c ∈ Fn2: Sc(x) = n∑ i=1 ci x+αi . Improved Timing Attacks against the Secret Permutation in the McEliece PKC 9 Definition 1 (Binary Goppa code). Given g(x),L and Sc(x) the binary Goppa code is defined as: Γ(L,g) = {c ∈ Fn2 | Sc(x) ≡ 0 mod g(x)}. Among the most important properties that a Goppa code satisfies we recall the followings: Proposition 2. A Goppa code Γ(L,g) is a linear code over F2. Its length is given by n = |L|, its dimension is k ≥ n−mt, where t = deg(g) and its minimun distance d ≥ t + 1. The syndrome polynomial Sc(x) satisfies the following property: Sc(x) = ω(x) σ(x) mod g(x), where σ(x) = t∏ i=1 (x + ai) is called the error locator polynomial (ELP) and the elements ∀i ∈ {1, . . . , t}ai ∈L are the error positions. Irreducible binary Goppa codes are defined by an irreducible Goppa polynomial g and admit the maximum length n = 2m. We use this type of codes in the rest of the paper and adopt the following notations: • For the permutation of the support elements: Π(L) = L′ = (Π(0), Π(1), . . . , Π(αi), . . . , Π(αn−2)). where Π is an element of the symmetric group. • Let P(x) be a monic polynomial of degree t over F2m with t roots denoted ai: P(x) = xt + Stt−1x t−1 + Stt−2x t−2 + . . . + St2x 2 + St1x + S t 0, where the coefficients Si ∈ Fm2 are the elementary symmetric functions: Stt−1 = t∑ i=1 ai, Stt−2 = t∑ i=1,j=1 i6=j aiaj, . . ., St1 = t∑ j=1 t∏ i=1 i 6=j ai and St0 = t∏ i=1 ai. Alternant decoders For the (irreducible) binary Goppa codes, we can use (at least) three different decoding algo- rithms: 1. the extended Euclidean algorithm (EEA); 2. the Berlekamp-Massey algorithm; 3. the Patterson algorithm. Extended Euclidean Algorithm (EEA). The first decoding algorithm can correct up to t 2 errors. We can increase the error-correction capabcity and correct up to t errors when the syndrome associated to g2 is used. Unfortunately, the corresponding parity check matrix has two times more rows and the construction is more complex. The Berlekamp-Massey algorithm. Similarly as the EEA, the Berlekamp-Massey algorithm has to use g2 in order to decode t errors. The advantage of this algorithm is that it isn’t vulnerable to several existing timing attacks and it allows a fast and constant-time computation. Some advantages are listed in [3]. The Patterson algorithm. The Patterson algorithm offers another solution for the syndrome decoding. The decryption described in [12] permits to correct up to t errors by using the syndrome associated to g but not to g2. 10 D. Bucerzan, P.L. Cayrel, V. Dragoi, T. Richmond 2.2 The McEliece Cryptosystem The McEliece PKC [8] is composed by the three following algorithms. Key generation:The first step is to generate the support (the set of n = 2m elements) and the Goppa polynomial g of degree t. Then, the parity check matrix can be built and brought to a systematic form: [In−k|R] in order to recover a generator matrix G of the Goppa code. We randomly choose a non-singular k × k matrix S and a n × n permutation matrix Π, and compute the public k ×n generator matrix G = SGΠ . The key generation procedure outputs sk = (Γ(L,g),S, Π) and pk = (n,t,G). Message encryption: • Inputs: message m ∈ Fk2, public key pk = (n,t,RT ). • Output: ciphertext z ∈ Fn2. 1. Randomly choose an n-bit error-vector with weight wt(e) = t; 2. Encode z = mG⊕e; 3. Return z. Message decryption: • Inputs: ciphertext z ∈ Fn2, secret key sk = (Γ(L,g),S, Π). • Output: message m ∈ Fk2. 1. Compute z′ = zΠ−1; 2. Find m′ = mS from z′ ⊕ e using Decode(z′) with the secret code; 3. Compute m = m′S−1; 4. Return m. Decode(.) is an alternant decoder (presented in the previous subsection). Existing side-channel attacks There are several papers on side-channel attacks against the McEliece PKC and a quick review must be done in order to clear up the reader’s understanding. Most of the attacks target the Patterson decoding algorithm and exploit several weaknesses. Table 1: Patterson algorithm: existing timing attacks and countermeasures Step Ref. Countermeasure ¶ z′ = zΠ−1 · Sz′(x) = H′z′(xt−1, . . . ,x2,x, 1)T ¸ Sz′(x) −1 mod g(x) via EEA [18] control flow ¹ τ(x) = √ x + Sz′(x)−1 º b(x)τ(x) ≡ a(x) mod g(x) [14,16] in EEA make sure deg(a) ≤b t 2 c ; deg(b) ≤bt−1 2 c deg(ri) = deg(ri−1) − 1 via EEA and deg(τ) = t− 1 » σ(x) = a2(x) + xb2(x) ¼ e = (σ(α0),σ(α1), . . . ,σ(αn−1)) ⊕ (1, . . . , 1) [1,17,19] the non-support or make sure deg(σ) = t ½ e′ = eΠ ¾ z = z′ ⊕e′ Improved Timing Attacks against the Secret Permutation in the McEliece PKC 11 There are mainly two types of attacks classified by their goal: 1. Attacks recovering the secret message m [1,17,19]; 2. Attacks recovering (fully or partially) the secret key sk [14,16–18]. The attacks on steps ¸ and º are able to determine some relations on the support elements by counting the number of iterations in the EEA. We improve it in Section 3. The attack on step ¼ reveals error positions using timing differences in the ELP evaluation. The attacker is able to find the error-vector with a certain non negligible probability. The basic idea is that two different polynomials, with some different degrees, are not evaluated in the same time. So the timing difference gives some information on the error-vector. We improve this attack in Section 4. In the rest of this paper, we assume that an attacker chooses a weight 0 < r < t for the error-vector e and we use the following notations: deg(g) = t and wt(e) = r. In the next Sections we will detail the complexity analysis of these attacks as well as adapted parameter values. 3 Timing attack against double using of the EEA Goal: The attacker’s goal is to recover the secret permutation Π. Identification of a leakage: The leakage is identified at steps ¸ and º of the Patterson algorithm. This type of attack was already published in [16,18]. The two steps using the EEA are considered as independent parts. In this section, we propose to show the relation existing between both steps and thus attack them. In fact, the main problem of previous attacks is the limited number of cases that can be exploited. They just can be applied on wt(e) ∈ {2, 4} as shown in [16] or wt(e) ∈{2, 4, 6} as presented in [18]. The problem comes from a simple fact: the number of iterations is given by two conditions. One of the condition is that all of the quotients in the EEA must be polynomials of degree equal to one. So when this condition is not fulfilled the number of iterations could not be any longer controlled by the attacker. We will use N¸ and Nº as notations for the number of iterations in the 3rd step ( respectively 5th step) of the Patterson algorithm. Motivations of our attack: We will show that using the relation between both steps will allow us to fully control the number of iterations. The other contribution is in finding the relation between both steps and in using it for building a larger set of equations. We will show that we are able to extend the limited equation number of the system up to wt(e) = deg(g) 2 . The main interest is that instead of finding only equations involving the permutation of 2, 4 or maybe 6 elements, we can extend it as much as necessary in order to discover the secret permutation. In terms of complexity, instead of enumerating all possible permutations, i.e. n! permutations, we reduce the complexity to the following expression: p∑ i=3 ( n i ) , where p ≤ deg(g) 2 − 1 Hence for small values of p, we have: p∑ i=3 ( n i ) ≤ ( n p ) × (p− 2) ≤ ( en p )p × (p− 2) 12 D. Bucerzan, P.L. Cayrel, V. Dragoi, T. Richmond (where e = 2.718281828 . . . is the basis of the natural logarithms). In order to make clear the difference between the naive attack and our attack, we propose to give a lower bound for the complexity of the naive attack:( n e )n ≤ n! Finally: p∑ i=3 ( n i ) ≤ ( en p )p × (p− 2) << (n e )n ≤ n! So the naive attack would be exponential in the length of the code as a timing attack would only have a complexity exponential in the maximum of the error-vector’s weight needed for the attack (often extremely small in comparison with the code’s length). Scenario: The attacker proceeds in the three following steps: 1. He chooses a random message m and computes c = mG; 2. He randomly chooses an error-vector e of small weight wt(e) < t (t is the correction capacity of the code) and computes z = mG⊕e; 3. He sends z to an oracle (O), which outputs the message m and the number of iterations in steps ¸ and º of the Patterson algorithm from Fig. 1. Main idea: For wt(e) = 2p with p ∈ N, the attacker will find equations having the following form: wt(e)∑ i=1 Π(αi) = 0. He will be able to build this type of equations with 0 < wt(e) < deg(g) 2 . We will denote by N¸ the number of iterations in the ¸ step. Conditions: The general assumption is that the attacker knows the public key pk, the order of all elements in the support L (L is supposed to be public, for example in the lexicographic order) and has access to an oracle O. These assumptions are the same as in previously mentionned works. We improve the attack in the same context. The oracle O is also able to give some extra informations: the timing for the whole particular algorithm or just one step. We assume that the attacker can violate the procedure by adding wt(e) < t errors. The attacker is able to choose the number and the positions of errors. 3.1 Step ¸ in the Patterson algorithm It was shown in [18] that the syndrome inversion leaks some information. The attack is based on the number of iterations used in the EEA, in order to compute the inverse of the syndrome polynomial S(x) modulo the Goppa polynomial g(x). It uses the following properties: N¸ ≤ deg(σ) + deg(σ′), for wt(e) < deg(g) 2 . We will not detail here all conditions, as they are well explained in [18], but we only give some important facts in order to make things clearer and to prepare the attack. Let us consider the ELP σ(x) = xr + Srr−1x r−1 + Srr−2x r−2 + · · · + Sr2x 2 + Sr1x + S r 0, with r ≡ 0 mod 2. Then σ′(x) = Srr−1x r−2 + · · · + Sr3x 2 + Sr1. Improved Timing Attacks against the Secret Permutation in the McEliece PKC 13 In this case the maximum number of iterations is given by the coefficient Srr−1 = r∑ i=1 ai. So if Srr−1 6= 0, we obtain N¸ = 2r − 2 and all quotients have a degree equal to 1. If S r r−1 = 0, Srr−3 6= 0, then N¸ = 2r − 4 and all quotients have a degree equal to 1. 3.2 Step º in the Patterson algorithm Locate the leakage: Two observations have to be done in order to understand and to locate the leakage point. The first one is about the number of iterations. It was proven (in [14]) that this number is (with a high probability): Nº = Nº∑ i=1 deg(qi) = deg(b). In the following paragraph, we will give some relations between τ(x), b(x), a(x) and σ(x) (given in steps ¹, º and » in Fig. 1). We will prove some new relations. The new relations between these polynomials allow us to build the attack in such a manner that previous ambigu- ous cases were eliminated. These relations are crucial for better understanding of the entire decryption algorithm as they influence each step of the process and each particular form of the involved polynomials. There are some useful properties that are going to be used in our approach: Proposition 3. 1. If r ≡ 0 mod 2, then deg(a) = r 2 see [14]. 2. If r ≡ 1 mod 2, then deg(b) = r−1 2 see [14]. 3. If deg(τ) ≤br 2 c, then deg(a) = deg(τ) + deg(b). 4. If deg(τ) ≤br 2 c and deg(τ) 6= 0, then wt(e) ≡ 0 mod 2. Fact: • When wt(e) is odd: For an error-vector with Hamming weight wt(e) = 2k + 1, with k ≤ p− 1, we have the following relations: deg(b) = k, deg(a) ≤ k and deg(τ) ≥ 2p−k. • When wt(e) is even: For an error-vector with Hamming weight wt(e) = 2k, with k ≤ p, we have the following relations: deg(a) = k, deg(b) ≤ k − 1 and deg(b) = 0 ⇔ deg(τ) = k. 3.3 Number of iterations We saw that the number of iterations in the EEA equals deg(b) so we will focus on the form of the polynomial b(x). More exactly, in the case when r is even. Let: σ(x) = x2p + S 2p 2p−1x 2p−1 + S 2p 2p−2x 2p−2 + S 2p 2p−3x 2p−3 + . . . + S 2p 2 x 2 + S 2p 1 x + S 2p 0 . We separate odd powers from even ones and get: σ(x) = (x2p + S 2p 2p−2x 2p−2 + . . . + S 2p 2 x 2 + S 2p 0 ) +(S 2p 2p−1x 2p−1 + S 2p 2p−3x 2p−3 + . . . + S 2p 1 x) σ(x) = (xp + √ S 2p 2p−2x p−1 + . . . + √ S 2p 2 x + √ S 2p 0 ) 2 +x( √ S 2p 2p−1x p−1 + . . . + √ S 2p 1︸ ︷︷ ︸ b(x) ) 2 14 D. Bucerzan, P.L. Cayrel, V. Dragoi, T. Richmond So deg(b) is given by the coefficients S2p2i−1 with i ∈ {1, 2, . . . ,p}. Therefore the number of iterations could be given by the same coefficients under an extra condition: all of the quotients have a degree equal to one. So we can distinguish p−1 possible cases depending on the coefficients, if the degree of the coefficients is equal to 1 in each iteration. Therefore:  Nº = p− 1 if S 2p 2p−1 6= 0 Nº = p− 2 if S 2p 2p−1 = 0 and S 2p 2p−3 6= 0 Nº = p− 3 if S 2p 2p−1 = 0 S 2p 2p−3 = 0 and S 2p 2p−5 6= 0 ... In all cases, the same assumption is made: the degree of the quotient equals 1 in each iteration. It means that we might have the number of iterations without any condition on the coefficients. 3.4 Attack against the pair (N¸,Nº) How it works. In this paragraph, we will explain how our attack works. We start by presenting the general relation for the pair (N¸,Nº). Using 3.1 and 3.2 we get the following property: Proposition 4. Let wt(e) = 2p < t/2. (N¸,Nº) = (4p− 4,p− 2) ⇒ 2p∑ i=1 ai = 0 with probability Psuccess. We will give a snapshot of each step in the attack and give some information on the success probability. 1. Find the position of Π(0) (see [14]). 2. Set wt(e) = 4: Fix Π(0) ∈{error-vector} and find 3∑ i=1 ai with ai 6= 0. Fix Π(0) 6∈ {error-vector} and find 4∑ i=1 ai with ai 6= 0. 3. Set wt(e) = 6: Fix Π(0) ∈{error-vector} and find 5∑ i=1 ai with ai 6= 0. Fix Π(0) 6∈ {error-vector} and find 6∑ i=1 ai with ai 6= 0. 4. . . . 5. Set wt(e) = b t 2 c: Fix Π(0) ∈{error-vector} and find wt(e)−1∑ i=1 ai with ai 6= 0. Fix Π(0) 6∈ {error-vector} and find wt(e)∑ i=1 ai with ai 6= 0. In Appendix 1, a toy example is presented for a better comprehension. Improved Timing Attacks against the Secret Permutation in the McEliece PKC 15 3.5 Success probability The success probability Psuccess is described by the following event: {All the quotients have a degree=1}. If we consider all elements of our support as uniformly distributed variables and the independence of each step inside the EEA, under the initial assumptions we have: Psuccess = P({N¸ = 4p− 4}∩{Nº = p− 2}) = P({N¸ = 4p− 4})P({Nº = p− 2}) = (1 − 1 n )N¸+Nº. Experimental results show that for n = 2048 and wt(e) = 4, in order to find equations of the following form: Π(α1) + Π(α2) + Π(α3) + Π(α4) = 0 the probability equals 0.998. It means that less that 0.2% of the cases are not exploitable among all possible cases under the condition: N¸ = 4 and Nº = 0. In other words, each time this combination is revealed, the probability of having a good equation for our attack equals 0.998 for the given parameters. 3.6 Experimental work In order to validate the relations that we presented in the previous paragraph for (N¸,Nº), we used a Pari/GP implementation of the McEliece cryptosystem (the code will be publicly available). We computed a keypair, then encoded and decoded a given message multiple times, by checking the value of the couple (N¸,Nº), searching for the valid combinations described above. We also used different values for m, the extension degree of the finite field. We ran the algorithm until we got the specific combination about hundred times. Then, we obtained an average value for the necessary iterations required to get the searched combination. The results are presented in the following table: Table 2: Number of necessary iterations to get the combination for error-vectors of Hamming weight 4, 6 and 8 Combination: N¸ 4 8 12 Nº 0 1 2 Number of iterations for m = 7 127 138 142 Number of iterations for m = 8 235 270 273 It means that for m = 7, we need to send to the oracle in average 127 different ciphertexts, in order to get the wanted relation (Π(α1) + Π(α2) + Π(α3) + Π(α4) = 0). In the case of the previous equation, the density of such configurations equals in average 1 127 ×Psuccess = 1 127 × ( 1 − 127 128 )4 . Knowing one relation allows us, by fixing one of the positions, to reduce the number of ciphertexts that has to be sent to the oracle. It means that wanted relations are revealed more often as we progress in the attack. It also gives the first intuition on the structure of the permutation (see Appendix 1). Attack implementation In order to practically test our attack, we used the same software implementation. In order to reveal timings close to real values, we repeated the attack for more than 106 times. We presented the obtained results are in the following table: 16 D. Bucerzan, P.L. Cayrel, V. Dragoi, T. Richmond Table 3: Timings (in sec.) for decryption in the case of n = 211 and t = 16 wt(e) Timings for expected attack equation Timings for random type equation 4 30141892 × 10−6 304856 × 10−4 6 3072799 × 10−5 310234 × 10−4 8 31597171 × 10−6 32242382 × 10−6 10 3285724 × 10−6 3345847 × 10−5 Remarks: We didn’t give the timings for the odd values as they are constant and independant from the linear combinations between the permutations of the error positions. From Figure 3, we observe that there’s a slight difference between the attack on this type combinations and on randomly distributed combinations. As we mentioned before for the random combinations those with the maximum number of iterations are more likely to appear (the case when all coefficients are different from zero). So in this case, we have the timing difference required for our attack to succeed. In Section 3.7, we will explain how the patch will work not only on this type of attacks but even on other types as the bit-flipping attacks. 3.7 Countermeasures We have seen that it is possible to attack a system by knowing how many times the EEA is repeated. The number of iterations can go from 0 to t− 1 in the syndrome inversion and from 0 to t/2 in the ELP determination. In order to avoid a correlation-finding from the number of iterations, we propose to introduce extra iterations into the EEA. The number of extra iterations should be chosen between 0 and a value that we call extra. The extra value is either t/2 or t−1, for the syndrome inversion ¸ or the ELP determination º, respectively. The variable i contains the number of iterations realized in the first part of the secured EEA. We chose to use integer values in the extra EEA steps, in order to avoid divisions by zero that may occur if we keep the previous terms. The point is to keep computing things that are as computationally expensive as the original EEA, so that an attacker can’t make the difference between true steps and extra steps. We present the proposed secured modified EEA: Input: f(x), g(x), dbreak and t. Output: a(x) and b(x) s.t. a(x) ≡ b(x)f(x) mod g(x) 1. d ← dbreak 2. [b−1,b0] ← [0, 1] 3. [r−1,r0] ← [g(x),f(x)] 4. i ← 0 5. While deg(ri) > d do i ← i + 1 ri−2(x) = ri−1(x)qi(x) + ri(x) bi(x) ← bi−2(x) + qi(x)bi−1(x) end while 6. a(x) ← ri(x) 7. b(x) ← bi(x) Improved Timing Attacks against the Secret Permutation in the McEliece PKC 17 8. extra = f(t,dbreak) 9. While i < extra do i ← i + 1 ri−2(x) = 3qi(x) + 5 bi(x) ← 5 + 6qi(x) end while The new security parameters: We recall the fact that normal security parameters do not take in consideration timing attacks. Usually security parameters are given under the assumption of possible naive attacks or known structural attacks as ISD [9] For example for the McEliece PKC the usual parameters are: 100-bit security n = 2048, t = 50 128-bit security n = 2960, t = 56 256-bit security n = 6624, t = 115 For the first parameters a timing attack with p = 6 would reveal a complexity less than 261 elementary operations, that is way lower than the original security level proposals. So for timing attacks larger parameters have to be taken in consideration in order to maintain the same level of security. For example in order to same a 100 bit security lever against this type of timing attacks one should propose n = 131072. The usual solution is not to increase the values of the parameters but to propose secure variant of the algorithm, variant that is not vulnerable to the specified attack. Our proposal is less faster that the original algorithm, it operates (t− 1) ×O(1) for the syndrome inversion and t 2 ×O(1) for the key equation (where O(1) is the usual complexity for a division). Meanwhile it is secure against timing attacks described below. The proof is very simple and it based on the fact that this particular type of timing attacks are based on the number of iterations is the EE Algorithm. Since our algorithm performs the same number of iterations no matter what relations are hidden between the polynomial coefficients it can’t reveal any of such secret relations. Once the countermeasure was applied, we ran the same attack and got the following timings for selected Hamming weights (the average timings are presented for more than 107 simulations in Fig. 4). Table 4: Timings (in sec.) for decryption in the case of n = 211 and t = 10 wt(e) Timings for attack type equations Timings for a random type combination 6 57.99 57.90 7 57.89 8 57.94 58.03 9 58.33 10 57.81 57.89 Remark: We observe that the protected implementation is impossible to attack (using the same techniques). We stress that the proposed countermeasure is also efficient in the case when an attacker wants to use previous techniques, like in [14,16,18]. 18 D. Bucerzan, P.L. Cayrel, V. Dragoi, T. Richmond 4 Timing attack against the ELP evaluation Goal: The attacker’s goal is to find the secret permutation Π. Identification of a leakage: A leakage is identified at step ¼ of the Patterson algorithm: the ELP evaluation. We recall that the ELP is denoted σ in Subsection 2.1. The attack is based on the fact that the form of the polynomial differs from the element to decode. We will prove that the algorithm’s complexity is strongly related to the coefficients of σ(x). We will then perform a timing attack on the ELP evaluation and control the values of the coefficients of σ(x). Motivations of our attack: One of the main motivations of our attack is that it can operate on all existing implementations of a general alternant decoder. It operates on the ELP evaluation, step that has to be computed in any decoding algorithm. We will give two basic algorithms for the ELP evaluation with some improvements and show that even with the published improvements our attack succeeds. We will choose the polynomial evaluation from right to left (the naive algorithm) and from left to right (the Ruffini-Horner scheme). Imagine that our polynomial has a degree equal to an integer t. The first algorithm computes the result within 3t−1 operations (t additions and 2t−1 multiplications). As for the second one it computes the result within 2t operations (t additions and t multiplications). It was proven by V. Pan in 1966 [11] that the Ruffini-Horner’s scheme [6] is optimal in terms of complexity. The main idea of the improvement is to use the fact that some support elements have par- ticular properties (like 0 and 1). Knowing the fact that one coefficient equals zero fasten up the algorithm as operations like multiplication or sum have fix values if they take zero as one of the input element. The same thing happens within the multiplication by one. So we will exploit these properties in order to improve our implementation. Each time a coefficient equals one or zero it will be store in a special table used afterwards for multiplication or addition. The case where a coefficient equals zero is rare and its probability has been studied in [4]. Nevertheless, each time there’s a coefficient equal to zero we will no longer multiply it by the corresponding element as the multiplication equals zero. So we will use the predefined tables to get rid of the useless operations. We will proceed exactly the same way when the multiplication of an element has to be done when a coefficient equals to one. So each time we have one coefficient equal to zero, using our predefined tables, we get rid of two operations (one addition and one multiplication). Scenario: The attack scenario is the same as in the previous attack except for the last step. In fact, the attacker gets the running time for the ELP evaluation in this section (step ¼ in Figure 1). Idea: For wt(e) = 2, the attacker will find the positions of Π(0) and Π(1) the permutation of zero and one. After enough iterations, he will fix those two positions and repeat this attack with wt(e) = 3, he will then find the secret permutation Π (using exhaustive search for the remaining positions). Conditions: The assumptions are the same as in the previous attack excepted that the attacker does not know the order of the elements in the support L. Improved Timing Attacks against the Secret Permutation in the McEliece PKC 19 4.1 Success probability As we said, in this attack we will only consider polynomials with a degree lower than three. For the case r = 3 we will give the full table of probabilities. We will start with the following general problem: Problem: Let P(x) be a monic polynomial of degree r with r distinct roots over F2m. What is the probability that all its coefficients are different from zero? This problem was treated in [4] and the results show that the probability can be bounded. For the classical parameters of the McEliece PKC, i.e. n = 2048 and t ≤ 50, the authors obtain: P ≥ 0.95 Proposition 5. Let P(x) be a monic polynomial of degree 3 with three distinct roots over F2m and m mod 2 = 1. The probability P3 that all its coefficients are different from zero satisfies: P3 = 1 − 5 2m . 4.2 Finding the permutation of the support elements zero and one 1. Consider the error-vectors ei with wt(ei) = 1. In this case, the error locator polynomial has the following form: σ(x) = x + ai, with ai ∈L = {0, 1,α, . . . ,αn−2}. If ai 6= 0, there is one addition (+) in the σ(x) evaluation. 2. Consider the error-vectors ei with wt(ei) = 2. In this case, the error locator polynomial has the following form: σ(x) = x2 + S21x + S 2 0, with S 2 1 = ai + aj and S 2 0 = aiaj. We distinguish two possible cases: (a) σ(x) = x2 + S21x + S 2 0 if aiaj 6= 0 (b) σ(x) = x2 + S21x if aiaj = 0 The case (b) leads to a computation of the polynomial evaluation with one extra addition (+) and the timings reveal all the couples (αi, 0). We can assume now that the position of Π(0) is known. 3. We fix this position and we seek for the position of Π(1). Since the polynomial σ(x) = x2 + S21x, the fastest evaluation is obtained for the couple (Π(0), Π(1)) as there is only one addition (+) and one square computation. 20 D. Bucerzan, P.L. Cayrel, V. Dragoi, T. Richmond 4.3 Attack scenario when r = 3 We will consider error-vectors with Hamming weight that equals 3. The corresponding σ(x) polynomial has always one of the eight following representations: 1. σ(x) = x3 + S32x 2 + S31x + S 3 0 if S 3 1S 3 2S 3 0 6= 0 2. σ(x) = x3 + S32x 2 + S31x if S 3 0 = 0 and S 3 2S 3 1 6= 0 3. σ(x) = x3 + S32x 2 + S30 if S 3 1 = 0 and S 3 2S 3 0 6= 0 4. σ(x) = x3 + S31x + S 3 0 if S 3 2 = 0 and S 3 1S 3 0 6= 0 5. σ(x) = x3 + S32x 2 if S32 6= 0 and S 3 1 = 0 and S 3 0 = 0 6. σ(x) = x3 + S31x if S 3 1 6= 0 and S 3 2 = 0 and S 3 0 = 0 7. σ(x) = x3 + S30 if S 3 0 6= 0 and S 3 2 = 0 and S 3 1 = 0 8. σ(x) = x3 if S30 = 0 and S 3 2 = 0 and S 3 1 = 0 Straightforward we deduce the following cases: (a). σ(x) = x3 + S32x 2 + S31x + S 3 0 if S 3 1S 3 2S 3 0 6= 0 and P = n−5 n (b). σ(x) = x3 + S32x 2 + S31x if S 3 0 = 0 and S 3 1S 3 2 6= 0 and P = 3 n (c). σ(x) = x3 + S32x 2 + S30 if S 3 1 = 0 and S 3 1S 3 0 6= 0 and P = 1 n (d). σ(x) = x3 + S31x + S 3 0 if S 3 2 = 0 and S 3 1S 3 0 6= 0 and P = 1 n Several cases can be eliminated by considering the fact that we accomplished the first step and we know the position of Π(0). If we consider all the error-vectors where ai 6= 0 ∀i ∈ {1, 2, . . . ,n−1} (i.e. 0 is not a root of P(x)), we reduce the possibilities for σ(x). The new form of the system is the following:  σ(x) = x3 + S32x 2 + S31x + S 3 0 if S 3 1S 3 2S 3 0 6= 0 σ(x) = x3 + S32x 2 + S30 if S 3 1 = 0 and S 3 2S 3 0 6= 0 σ(x) = x3 + S31x + S 3 0 if S 3 2 = 0 and S 3 0S 3 1 6= 0 In all cases, x3 must be computed so we will not consider this part in the timing differences. In the structure that computes the polynomial evaluation the fastest is the last one. But this case is performed only when S32 = 0. 4.4 Finding the positions of two elements such that Π(αj)Π(αk) = 1 In order to increase the number of equations in our system, we exploit the fact that (F2m) ∗ is cyclic. Recall: we know the positions of Π(0), Π(1) and Π(α1) + Π(α2) + Π(α3) = 0. Without loss of generality, we choose to fix "Π(0)" on the first position and choose two other positions such that the sum is different from 1. We are able to do that because we know the position of "Π(1)" and the couples (α1,α2) such that 1 + α1 + α2 = 0. We get two new positions b1 and b2 such that b1 + b2 6= 1. The error locator polynomial is: σ(x) = x3 + S32x 2 + S31x. For b1b2 = 1 we get σ(x) = x3 + S32x 2 + x. This form is the fastest to be computed as there is one less multiplication compare to the other case. Improved Timing Attacks against the Secret Permutation in the McEliece PKC 21 4.5 System resolution Number of equations: We will give the number of linear and quadratic equations obtained by the attacker. Finding the positions of Π(0) and Π(1) reduces the search set to (n− 2) elements. • The first set of linear equations: Equation type (1): Π(αj)Π(αk) = 1 ⇒ ]eq. = n−22 The last equation is determined by all the other ones because for the last couple only one possible solution remains available. For instance, if the attacker finds (n−2 2 − 1) different equations the last equation can be directly determined. • The second set of linear equations: Equation type (2): Π(αj) + Π(αk) = 1 ⇒ ]eq. = n−22 . As the first set, the last one can be determined by all others. This comes from the fact that for the three positions, we fixed the position of Π(1) as the first one. So we have (n−2) possibilities on the second position. But there are two repetitions for each (Π(1), Π(αj), Π(αk))-vector. • The third set of quadratic equations: Equation type (3): Π(αi) + Π(αj) + Π(αk) = 0 ⇒ ]eq. = (n−2)(n−4) 6 The total number of equations for Π(αi) + Π(αj) + Π(αk) = 0 including the second set equals (n− 1)(n− 2) as the third position is fixed and the two others are free and different. Here, the number of repetitions equals six. So we obtain ( (n−2)(n−1) 6 − n−2 2 ) equations. To illustrate how the attack works a toy example is given in Appendix 2. Conclusion In this article, we focused our attention on the cryptanalysis of the McEliece PKC with the binary Goppa codes. We showed the existing weak points in the Patterson decoding algorithm and determined the relations between the number of iterations in two different steps of the algorithm and the secret permutation. Since those relations were the main connection idea between the two extended Euclidean algorithms, we set up a timing attack based on this fact. The advantage of this attack is that it increased the probability of success by avoiding ambiguous cases, undetectable in previous attacks. The other advantage is that it allows higher expansion of the number of equations determined by the attacker in order to find the secret permutation. The second important contribution of our article is a new attack that can be performed on several different decoding algorithms. It reveals that even intelligent variants of some polynomial evaluation algorithms might leak information and need to be patched or replaced. The ideas discovered in the attacks might be reused in any further implementations using the algorithms mentioned before. So secure variants must be used in order to avoid any leakage point. Bibliography [1] Roberto Avanzi, Simon Hoerder, Dan Page, Mike Tunstall (2010), Side-channel attacks on the McEliece and Niederreiter public-key cryptosystems, Cryptology ePrint Arch., Report 2010/479, 2010. 22 D. Bucerzan, P.L. Cayrel, V. Dragoi, T. Richmond [2] Daniel J. Bernstein, Johannes Buchmann, Erik Dahmen (eds.) (2009), Post-Quantum Cryp- tography, Springer, 2009. [3] Daniel J. Bernstein, Tung Chou, Peter Schwabe (2013), McBits: fast constant-time code- based cryptography, https://binary.cr.yp.to/mcbits-20130616.pdf, 1-26. [4] Vlad Dragoi, Pierre-Louis Cayrel, Brice Colombier, Tania Richmond (2013), Polynomial structures in code-based cryptography, Indocrypt 2013, LNCS2850: 286-296. [5] Whitfield Diffie, Martin Hellman (1976), New directions in cryptography, IEEE Trans. Inform. Theory, 22(6):644–654. [6] W.G. Horner (1819), A new method of solving numerical equations of all orders by contin- uous approximation, Phil. Trans. R. Soc. Lond., 109:308–335. [7] Florence J. MacWilliams, Neil J. A. Sloane (1986), The Theory of Error-Correcting Codes, North–Holland, Amsterdam, 5th ed., 1986. [8] Robert J. McEliece (1978), A public-key cryptosystem based on algebraic coding theory, Jet Propulsion Laboratory DSN Progress, Report 42-44, 114–116. [9] Robert Niebuhr et al. (2010), On lower bounds for information set decoding over fq, In C. Cid, J.-C. Faugere, (eds.), Proc. of the Second Intl. Conf. on Symbolic Computation and Cryptography, SCC 2010, 143–157. [10] Ayoub Otmani, Jean-Pierre Tillich, Leonard Dallot (2008), Cryptanalysis of a McEliece cryptosystem based on quasi-cyclic LDPC codes, Proc. of First Intl. Conf. on Symbolic Computation and Cryptography (SCC 2008), 69–81. [11] Victor Y. Pan (1966), On Methods of Computing the Values of Polynomials, UspeKhi Math- ematicheskikh Nauk, 21:103–134. [12] Nicholas J. Patterson (1975), The algebraic decoding of goppa codes, IEEE Transactions on Information Theory, 21(2): 203–207. [13] Peter W. Shor (1997), Polynomial-time algorithms for prime factorization and discrete log- arithms on a quantum computer, SIAM Journal on Computing, 26(5):1484-1509. [14] Abdulhadi Shoufan et al. (2010), A Timing Attack against Patterson Algorithm in the McEliece PKC, ICISC 2009, LNCS 5984: 161–175. [15] V.M. Sidelnikov and S.O. Shestakov (1992), On the insecurity of cryptosystems based on generalized Reed-Solomon codes, Discrete Math. Appl., 2(4):439–444. [16] Falko Strenzke (2010), A Timing Attack against the Secret Permutation in the McEliece PKC, In N. Sendrier (ed.), Post-Quantum Cryptography, Third intl. workshop, LNCS6061: 95–107. [17] Falko Strenzke (2010), Fast and secure root-finding for code-based cryptosystems, Cryptology ePrint Arch., Report 2011/672, 2011. [18] Falko Strenzke (2011), Timing attacks against the syndrome inversion in code-based cryp- tosystems, Cryptology ePrint Arch., Report 2011/683, 2011. [19] Falko Strenzke et al. (2008), Side channels in the McEliece PKC, In J. Buchmann and J. Ding (eds.), Post-Quantum Cryptography, Second intl. workshop, LNCS5299: 216–229. Improved Timing Attacks against the Secret Permutation in the McEliece PKC 23 Appendix 1 Toy example for the EEA attack Consider F24 [x] = F2[x] x4+x+1 . The generator matrix G of the Goppa code and the support L = {0, 1,α,α2, . . . ,α14} are public. Let m ∈ Fk2 be the message and O the decoding oracle. We notice that if L is public, one can find G(x) such that L = F2[x] G(x) . The other way is equaly true: if G(x) is public then one can easily find L. Suppose that the secret permutation is: Π(L) = L′ = {α,α2,α3, . . . ,α14, 0, 1} = {`i |i ∈ (1 . . . 16)} • 1st step: • The attacker asks O to decode all the z = mG⊕e with wt(e) = 1. ? N¸ and Nº reveals the position of Π(0): `15. ◦ This is mainly due to: σ(x) = x we have τ(x) = 0 and S−1(x) = x • 2nd step: • The attacker asks O to decode all the z = mG ⊕ e with wt(e) = 4 (the positions (`i1,`i2,`i3 ) are the three non-zero positions of e and `i4 = `15). ? The couple ( N¸ Nº ) = ( 4 0 ) reveals all (`i1,`i2,`i3 ) such that `i1 + `i2 + `i3 = 0. Here (`i1,`i2,`i3 ) ∈{(`1,`4,`16), (`3,`14,`16), . . .}. ◦ deg(σ) = 4 and deg(ω) = { 2 if `i1 + `i2 + `i3 6= 0 0 if `i1 + `i2 + `i3 = 0 ◦ deg(b) = { 1 if `i1 + `i2 + `i3 6= 0 0 if `i1 + `i2 + `i3 = 0 • 3rd step: • The attacker asks O to decode all the z = mG ⊕ e with wt(e) = 4 (the positions (`i1,`i2,`i3,`i4 ) are the four non-zero positions of e). ? The couple ( N¸ Nº ) = ( 4 0 ) reveals all (`i1,`i2,`i3,`i4 ) such that `i1 +`i2 +`i3 +`i4 = 0. Here (`i1,`i2,`i3,`i4 ) ∈{(`1,`2,`10,`16), (`2,`3,`13,`16), . . .}. ◦ deg(σ) = 4 and deg(ω) = { 2 if `i1 + `i2 + `i3 + `i4 6= 0 0 if `i1 + `i2 + `i3 + `i4 = 0 ◦ deg(b) = { 1 if `i1 + `i2 + `i3 + `i4 6= 0 0 if `i1 + `i2 + `i3 + `i4 = 0 • 4th step: • The attacker asks O to decode all the z = mG ⊕ e with wt(e) = 6 (the positions (`i1,`i2,`i3,`i4,`i5 ) are the five non-zero positions of e and `i6 = `15). ? The couple ( N¸ Nº ) = ( 8 1 ) reveals all (`i1,`i2,`i3,`i4,`i5 ) such that `i1 +`i2 +· · ·+`i5 = 0. Here (`i1,`i2,`i3,`i4,`i5 ) ∈{(`1,`2,`3,`12,`16), (`3,`4,`8,`12,`16), . . .}. 24 D. Bucerzan, P.L. Cayrel, V. Dragoi, T. Richmond ◦ deg(σ) = 4 and deg(ω) = { 4 if `i1 + `i2 + `i3 + `i4 + `i5 6= 0 2 if `i1 + `i2 + `i3 + `i4 + `i5 = 0 ◦ deg(b) = { 2 if `i1 + `i2 + `i3 + `i4 + `i5 6= 0 1 if `i1 + `i2 + `i3 + `i4 + `i5 = 0 • 5th step: • The attacker asks O to decode all the z = mG ⊕ e with wt(e) = 6 (the positions (`i1,`i2,`i3,`i4,`i5,`i6 ) are the six non-zero positions of e). ? The couple ( N¸ Nº ) = ( 8 1 ) reveals all (`i1,`i2,`i3, . . . ,`i6 ) such that `i1 +`i2 +· · ·+`i6 = 0. Here (`i1,`i2,`i3, . . . ,`i6 ) ∈{(`1,`2,`3,`4,`6,`16), . . .}. ◦ deg(σ) = 4 and deg(ω) = { 4 if `i1 + `i2 + `i3 + · · · + `i6 6= 0 2 if `i1 + `i2 + `i3 + · · · + `i6 = 0 ◦ deg(b) = { 2 if `i1 + `i2 + `i3 + · · · + `i6 6= 0 1 if `i1 + `i2 + `i3 + · · · + `i6 = 0 • . . . • Last step: The attacker has to solve the following system of quadratic equations in order to find the secret permutation:  `15 = Π(0) ; 1 st step `1 + `4 + `16 = `3 + `14 + `16 = · · · = 0 2nd step `1 + `2 + `10 + `16 = `2 + `3 + `13 + `16 = · · · = 0 3rd step `1 + `2 + `3 + `12 + `16 = `3 + `4 + `8 + `12 + `16 = · · · = 0 4th step `1 + `2 + `3 + `4 + `6 + `16 = · · · = 0 5th step . . . Solving the system will allow to fully determine the secret permutation Π(L) = L′ = {α,α2,α3,α4, . . . , 0, 1}. 2 Toy example for the ELP evaluation attack Consider F23 [x] = F2[x] x3+x+1 . G and the support L = {0, 1,α,α2,α3,α4,α5,α6} are public, m ∈ Fk2 and O is the decoding oracle. We notice that if L is public one can find G(x) such that L = F2[x] G(x) . The other way is equaly true: if G(x) is public then one can easily discover L. Suppose that the secret permutation is: Π(L) = L′ = {α,α3, 1,α4,α5, 0,α2,α6} = {`i |i ∈{1, . . . , 8}} • 1st step: • The attacker asks O to decode all the z = mG⊕e with wt(e) = 2 (the positions (`j,`k) are the two non-zero positions of e). Improved Timing Attacks against the Secret Permutation in the McEliece PKC 25 ? The faster step ¼ reveals the position of Π(0): `6. • The attacker asks O to decode all the z = mG⊕e with wt(e) = 2 (the positions (`6,`k) are the two non-zero positions of e). ? The faster step ¼ reveals the position of Π(1): `3. • 2nd step: • The attacker asks O to decode all the z = mG ⊕ e with wt(e) = 3 (the positions (`3,`j,`k) are the three non-zero positions of e). ? The faster step ¼ reveals all the couples (`j,`k) such that `3 + `j + `k = 0. Here (`j,`k) ∈{(`1,`2), (`4,`5), (`7,`8)}. • 3rd step: • The attacker asks O to decode all the z = mG ⊕ e with wt(e) = 3 (the positions (`6,`j,`k) are the three non-zero positions of e). ? The faster step ¼ reveals all the couples (`j,`k) such that `j`k = 1. Here (`j,`k) ∈ {(`1,`8), (`2,`4), (`5,`7)}. • 4th step: • The attacker asks O to decode all the z = mG ⊕ e with wt(e) = 3 (the positions (`i,`j,`k) are the three non-zero positions of e). ? The faster step ¼ reveals all the triplets (`i,`j,`k) such that `i + `j + `k = 0. Here (`i,`j,`k) ∈{(`1,`4,`7), (`1,`5,`8), (`2,`4,`8), (`2,`5,`7)}. • The attacker has to solve the following system of quadratic equations in order to find the secret permutation:  `6 = Π(0) ; `3 = Π(1) 1 st step `1 + `2 = `4 + `5 = `7 + `8 = 1 2 nd step `1`8 = `2`4 = `5`7 = 1 3 rd step `1 + `4 + `7 = `1 + `5 + `8 = 0 4 th step `2 + `4 + `8 = `2 + `5 + `7 = 0 4 th step Solving the system will allow to fully determine the secret permutation Π(L) = {α,α3, 1,α4,α5, 0,α2,α6}.