Paper 2023/1590

Single trace HQC shared key recovery with SASCA

Guillaume Goy, CEA LETI, University of Limoges
Julien Maillard, CEA LETI, University of Limoges
Philippe Gaborit, University of Limoges
Antoine Loiseau, CEA LETI
Abstract

This paper presents practicable single trace attacks against the Hamming Quasi-Cyclic (HQC) Key Encapsulation Mechanism. These attacks are the first Soft Analytical Side-Channel Attacks (SASCA) against code-based cryptography. We mount SASCA based on Belief Propagation (BP) on several steps of HQC's decapsulation process. Firstly, we target the Reed-Solomon (RS) decoder involved in the HQC publicly known code. We perform simulated attacks under Hamming weight leakage model, and reach excellent accuracies (superior to $0.9$) up to a high noise level ($\sigma = 3$), thanks to a re-decoding strategy. In a real case attack scenario, on a STM32F407, this attack leads to a perfect success rate. Secondly, we conduct an analogous attack against the RS encoder used during the re-encryption step required by the Fujisaki-Okamoto-like transform. Both in simulation and practical instances, results are satisfactory and this attack represents a threat to the security of HQC. Finally, we analyze the strength of countermeasures based on masking and shuffling strategies. In line with previous SASCA literature targeting Kyber, we show that masking HQC is a limited countermeasure against BP attacks, as well as shuffling countermeasures adapted from Kyber. We evaluate the ``full shuffling'' strategy which thwarts our attack by introducing sufficient combinatorial complexity. Eventually, we highlight the difficulty of protecting the current RS encoder with a shuffling strategy. A possible countermeasure would be to consider another encoding algorithm for the scheme to support a full shuffling. Since the encoding subroutine is only a small part of the implementation, it would come at a small cost.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
Soft Analytical Side-Channel AttackSASCABelief PropagationBPHQCSingle TraceShared Key Recovery
Contact author(s)
guillaume goy @ unilim fr
julien maillard @ cea fr
gaborit @ unilim fr
antoine loiseau @ cea fr
History
2024-03-18: revised
2023-10-13: received
See all versions
Short URL
https://ia.cr/2023/1590
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1590,
      author = {Guillaume Goy and Julien Maillard and Philippe Gaborit and Antoine Loiseau},
      title = {Single trace {HQC} shared key recovery with {SASCA}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1590},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1590}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.