Transactions on Cryptographic Hardware and Embedded Systems, Volume 2022
Don’t Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE
Technische Universität Wien, RISE GmbH
Robin Leander Schröder
Technische Universität Wien
Lund University, Advenica AB
Keywords: Timing Attack, Rejection Sampling, Fujisaki-Okamoto Transformation, Post-Quantum Cryptography, HQC, BIKE
Well before large-scale quantum computers will be available, traditional cryptosystems must be transitioned to post-quantum (PQ) secure schemes. The NIST PQC competition aims to standardize suitable cryptographic schemes. Candidates are evaluated not only on their formal security strengths, but are also judged based on the security with regard to resistance against side-channel attacks. Although round 3 candidates have already been intensively vetted with regard to such attacks, one important attack vector has hitherto been missed: PQ schemes often rely on rejection sampling techniques to obtain pseudorandomness from a specific distribution. In this paper, we reveal that rejection sampling routines that are seeded with secretdependent information and leak timing information result in practical key recovery attacks in the code-based key encapsulation mechanisms HQC and BIKE.
Both HQC and BIKE have been selected as alternate candidates in the third round of the NIST competition, which puts them on track for getting standardized separately o the finalists. They have already been specifically hardened with constant-time decoders to avoid side-channel attacks. However, in this paper, we show novel timing vulnerabilities in both schemes: (1) Our secret key recovery attack on HQC requiresonly approx. 866,000 idealized decapsulation timing oracle queries in the 128-bit security setting. It is structurally different from previously identified attacks on the scheme: Previously, exploitable side-channel leakages have been identified in the BCH decoder of a previously submitted HQC version, in the ciphertext check as well as in the pseudorandom function of the Fujisaki-Okamoto transformation. In contrast, our attack uses the fact that the rejection sampling routine invoked during the deterministic re-encryption of the decapsulation leaks secret-dependent timing information, which can be efficiently exploited to recover the secret key when HQC is instantiated with the (now constant-time) BCH decoder, as well as with the RMRS decoder of the current submission. (2) From the timing information of the constant weight word sampler in the BIKE decapsulation, we demonstrate how to distinguish whether the decoding step is successful or not, and how this distinguisher is then used in the framework of the GJS attack to derive the distance spectrum of the secret key, using 5.8 x 107 idealized timing oracle queries. We provide details and analyses of the fully implemented attacks, as well as a discussion on possible countermeasures and their limits.
Transactions of Cryptographic Hardware and Embedded Systems, Volume 2022, Issue 3Paper
August 1, 2022
Some files in this archive are licensed under a different license. See the contents of this archive for more information.
BibTeX How to cite
Guo, Q., Hlauschek, C., Johansson, T., Lahr, N., Nilsson, A., & Schröder, R. L. (2022). Don’t Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022(3), 223–263. https://doi.org/10.46586/tches.v2022.i3.223-263. Artifact available at https://artifacts.iacr.org/tches/2022/a12