International Association for Cryptologic Research

International Association
for Cryptologic Research

Transactions on Cryptographic Hardware and Embedded Systems, Volume 2025

Full Key-Recovery Cubic-Time Template Attack on Classic McEliece Decapsulation


Vlad-Florin Drăgoi
Faculty of Exact Sciences, Aurel Vlaicu University, Arad, Romania; LITIS, University of Rouen Normandie, Saint-Etienne du Rouvray, France

Brice Colombier
Université Jean Monnet Saint-Etienne, CNRS, Institut d Optique Graduate School, Laboratoire Hubert Curien UMR 5516, F-42023, SAINT-ETIENNE, France

Nicolas Vallet
Université Jean Monnet Saint-Etienne, CNRS, Institut d Optique Graduate School, Laboratoire Hubert Curien UMR 5516, F-42023, SAINT-ETIENNE, France

Pierre-Louis Cayrel
Université Jean Monnet Saint-Etienne, CNRS, Institut d Optique Graduate School, Laboratoire Hubert Curien UMR 5516, F-42023, SAINT-ETIENNE, France

Vincent Grosso
Université Jean Monnet Saint-Etienne, CNRS, Institut d Optique Graduate School, Laboratoire Hubert Curien UMR 5516, F-42023, SAINT-ETIENNE, France


Keywords: Post-quantum cryptography, Code-based cryptography, Classic McEliece, Side-channel attacks


Abstract

Classic McEliece is one of the three code-based candidates in the fourth round of the NIST post-quantum cryptography standardization process in the Key Encapsulation Mechanism category. As such, its decapsulation algorithm is used to recover the session key associated with a ciphertext using the private key. In this article, we propose a new side-channel attack on the syndrome computation in the decapsulation algorithm that recovers the private key, which consists of the private Goppa polynomial g and the permuted support L. The attack relies on both practical aspects and theoretical contributions, namely that the side-channel distinguisher can accurately discriminate elements of the permuted support L, while relying only on a standard noisy Hamming weight leakage assumption and that there exists a cubic-time algorithm that uses this information to recover the private Goppa polynomial g. Compared with previous work targeting the Classic McEliece private key, this drastically improves both on the assumptions made in the attacker model and on the overall efficiency of the key-recovery algorithm. We have carried out the attack in practice on a microcontroller target running the reference implementation of Classic McEliece, and make the full attack source code available.

Publication

Transactions of Cryptographic Hardware and Embedded Systems, Volume 2025, Issue 1

Paper

Artifact

Artifact number
tches/2025/a6

Artifact published
March 6, 2025

Badge
IACR CHES Artifacts Functional

README

ZIP (683409345 Bytes)  

View on Gitlab

License
GPLv3 This work is licensed under the GNU General Public License version 3.

Some files in this archive are licensed under a different license. See the contents of this archive for more information.

BibTeX How to cite

Drăgoi, V.-F., Colombier, B., Vallet, N., Cayrel, P.-L., & Grosso, V. (2024). Full Key-Recovery Cubic-Time Template Attack on Classic McEliece Decapsulation. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2025(1), 367-391. https://doi.org/10.46586/tches.v2025.i1.367-391. Artifact available at https://artifacts.iacr.org/tches/2025/a6