KeywordsandphrasesHQCBCHdecodingTimingattackConstanttimeimplementation12TIMINGATTACKONHQCANDCOUNTERMEASUREofBCHcodeswouldintroduceasecurityweaknessintheunderlyingcryptographicschemeswhenimplementedins ID: 861115
Download Pdf The PPT/PDF document "APRACTICABLETIMINGATTACKAGAINSTHQCANDITS..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 APRACTICABLETIMINGATTACKAGAINSTHQCANDITS
APRACTICABLETIMINGATTACKAGAINSTHQCANDITSCOUNTERMEASUREGuillaumeWafo-TapaWorldline,ZIRuedelapointe59113Seclin,FranceSlimBettaiebWorldline,ZIRuedelapointe59113Seclin,FranceLocBidouxWorldline,ZIRuedelapointe59113Seclin,FrancePhilippeGaboritUniversityofLimoges,XLIM-DMI,123,Av.AlbertThomas87060Limoges,FranceEtienneMarcatelAtos,68avenueJeanJaures78340LesClayes-sous-Bois,FranceAbstract.Inthispaper,wepresentapracticablechosenciphertexttimingat-tackretrievingthesecretkeyofHQC.Theattackexploitsacorrelationbetweentheweightoftheerrortobedecodedandtherunningtimeofthedecodingal-gorithmofBCHcodes.Forthe128-bitsecurityparametersofHQC,theattackrunsinlessthanaminuteonadesktopcomputerusing5441decodingrequestsandhasasuccessprobabilityofapproximately93percent.Topreventthisat-tack,weproposeaconstanttimealgorithmforthedecodingofBCHcodes.Ourimplementationofthecountermeasureachievesaconstanttimeexecutionofthedecodingprocesswithoutasignicantperformancepenalty.1.IntroductionHQC[1,3]isacode-basedIND-CCA2-securepublickeyencryptionscheme,whosesecurityisbasedonthehardnessofthequasi-cyclicsyndromedecodingproblem.Itisoneofthecandidatealgorithmsthathasadvancedtotheround2oftheNISTpost-quantumstandardizationproject.Inparticular,HQCreliesontensorproductcodes(BCHcodestensoredwithrepetitioncodes)initsdecryptionalgorithm.BCHcodesarealgebraiccodesintroducedintwoindependentworksbyBose,Chaudhuri[7]andHocquenghem[11].AlgorithmstodecodeBCHcodesuseGaloiseldarithmeticoperationsandbasicallyconsistsinthreesteps:syndromescomputation;error-locatorpolynomialcomputationandrootscomputation.Sofar,BCHcodeshavebeenusedtomitigatethedecryptionfailureinvariouspublickeyencryptionschemesbasedonhardproblemsofeithercodingtheory[1,3]orlattices[15].However,duetosidechanneltimingleakage,astraightforwarduse Keywordsandphrases.HQC,BCHdecoding,Timingattack,Constanttimeimplementation.1 2TIMINGATTACKONHQCANDCOUNTERMEASUREofBCHcodeswouldintroduceasecurityweaknessintheunderlyingcryptographicschemeswhenimplementedinsoftware.Infa
2 ct,D'Anversetal.[8]showedthatthesecurity
ct,D'Anversetal.[8]showedthatthesecurityofLAC,alattice-basedcryptosystem[15],couldbesignicantlyreducedifthereisasidechannelleakageduringtheerrorcorrectionofBCHcodes.Furthermore,HQCsharesthesameframeworkastheRQC[2,3]cryptosystem.Ithasbeenshownin[4]thatthisframeworkisvulnerabletoatimingattackintherankmetricsettingifthedecodingoftheunderlyingGabidulincodes[9]isimplementedinanonconstanttimefashion.AchievingaconstanttimeimplementationofthedecodingofBCHcodesischal-lenging.Inarecentwork,WaltersandSinhaRoy[16]proposedsuchaconstanttimeBCHdecodingimplementation.However,thealgorithmsusedforsyndromescomputationandrootscomputationarenotthemostecientknowninthelitter-ature.Contributions.Inthispaper,wepresentapracticabletimingattackagainstHQCthatcompletesundertheminute.Ascountermeasure,wegivetwovariantsofaconstanttimealgorithmforBCHcodes.Paperorganisation.Insection2,wegivesomepreliminariesoncode-basedcryptog-raphy,decodingBCHcodesaswellastheHQCcryptosystem.Next,insection3,wepresentacorrelationbetweentheweightoftheerrortobedecodedandthedecodingtimeofBCHcodes.Thisobservationisthecornerstoneofthetimingattackdetailedinsection4.Insection5,weintroduceaconstanttimeimplementa-tionthatconstitutesacountermeasuretothisattackaswellassomeexperimentalresults.Finally,weconcludethisworkinsection6.2.PreliminariesInthissection,wegivesomepreliminariesregardingtheHammingmetric,error-correctingcodesandtheHQCcryptosystem.2.1.Codingtheory.LetF2bethebinaryniteeldandFn2thevectorspaceofdimensionnoverF2forsomepositiveintegern.ElementsofFn2areconsideredasvectorsorpolynomialsinF2[X]=(Xn1).Denition2.1(Support).Letx2Fn2.Thesupportofxisthesetofindicesi2[[0;n1]]suchthatxi=1.Denition2.2(Hammingweight).Letx2Fn2.TheHammingweightofx,de-notedbyw(x),isthecardinalofitssupport,i.e.thenumberofitsnon-zerocoor-dinates.Denition2.3(Hammingdistance).Letx;y2Fn2.TheHammingdistancefromxtoy,denotedbyd(x;y),isdenedasw(xy),i.e.thenumberofcoordinatesxandydieron.Denition2.4(Linearcode
3 ).Alinear[n;k]-codeCoflengthnanddimensio
).Alinear[n;k]-codeCoflengthnanddimensionkisalinearsubspaceofFn2ofdimensionk.Denition2.5(Generatormatrix).AmatrixG2Fkn2isageneratormatrixforthe[n;k]-codeCifC=mGm2Fk2 .Denition2.6(Parity-checkmatrix).AmatrixH2F(nk)n2isaparity-checkmatrixforthe[n;k]-codeCifC=x2Fn2Hx=0 . TIMINGATTACKONHQCANDCOUNTERMEASURE3Denition2.7(Correctioncapacity).LetCbealinear[n;k]-code.ThecorrectioncapacityofCisthelargest2Nsuchthatforallx2Fn2,thereisatmostonec2Csuchthatd(x;c).ThecodeCiscalleda[n;k;]-code.Denition2.8(Cycliccode[14]).AcodeCissaidtobecyclicifeverycyclicshiftofacodewordinCisalsoacodeword.Thatis,(c0;c1;:::;cn1)2Cimplies(cn1;c0;:::;cn2)2C.Theorem2.9(Generatorpolynomial[14]).LetCbeacycliccodeoverF2.Thereexistsauniquepolynomialg(x)inCofminimalpositivedegree.Moreover,apoly-nomialc(x)isacodewordofCifandonlyifg(x)dividesc(x).Thepolynomialg(x)iscalledthegeneratorpolynomialofthecycliccodeC.HQCusesatensorproductcodeobtainedasthecombinationofaBCHcodewitharepetitioncode.Denition2.10(Tensorproductcode[1]).LetC1(resp.C2)bea[n1;k1](resp.[n2;k2])linearcodeoverF2.ThetensorproductcodeofC1andC2denotedC1 C2isdenedasthesetofalln2n1matriceswhoserowsarecodewordsofC1andwhosecolumnsarecodewordsofC2.Moreformally,ifC1(resp.C2)isgeneratedbyG1(resp.G2),thenC1 C2=nG2XG1X2Fk2k12oTheorem2.11(BCHcode[14]).Foranypositiveintegersm3andt2m1,thereexistsabinarycyclicBCH[n;k;]-codewiththefollowingproperties:n=2m1;nkmt;t.LetbeaprimitiveelementinF2m,andleti(x)betheminimalpolynomialofifor1i2.Thegeneratorpolynomialg(x)oftheBCH[n;k;]-codeistheleastcommonmultipleof1(x);2(x);:::;2(x),thatis,g(x)=LCMf1(x);2(x);:::;2(x)g:BCHcodesencoding.Giventhegeneratorpolynomialg(x)andamessageu(x)=u0+u1x+:::+uk1xk1,theencodingofBCHcodesconsistsofthreesteps:(1)Computea(x)=xnku(x).(2)Computeb(x)
4 =a(x)modg(x).(3)Formthecodewordc(x)=a(x)
=a(x)modg(x).(3)Formthecodewordc(x)=a(x)+b(x).BCHcodesdecoding.ThedecodingofBCHcodesalsoconsistsofthreesteps:(1)Computethe2syndromesfromthereceivedpolynomialr(x).Letc(x)denotethesentcodewordande(x)theerrorword,onehas:r(x)=c(x)+e(x)For1i2,thesyndromesSiaredenedas:Si=r(i)=e(i)(2)ComputetheErrorLocatorPolynomial(ELP)(x)usingthesyndromes(Si)1i2.Letvbethenumberoferrorsandletj1;j2;:::;jvbetheerrorpositions.Then:e(x)=xj1+xj2+:::+xjvSo:Si=(i)j1+(i)j2+:::+(i)jv(1i2) 4TIMINGATTACKONHQCANDCOUNTERMEASUREIntroducingtheerrorlocatorss=js,withs=1;2;:::;v,onecanwritethesyndromesmoreexplicitely:S1=1+2+:::+vS2=21+22+:::+2v...S2=21+22+:::+2vTheseareknownaspowersumsymmetricfunctions.Theyleadtothedenitionoftheerrorlocatorpolynomial:(x)=vYr=1(1+rx)=vXr=0rxr(i)1ivand(Si)1i2arethenrelatedbyNewton'sidentities:S1+1=0...S+1S1+:::+1S1+=0S+1+1S+:::+1S2+S1=0...S2+1S21+:::+S1=0(1)(3)Computetherootsoftheerrorlocatorpolynomial(x).Theseroots11;12;:::;1varetheinversesoftheerrorlocators.Oncefound,onecanretrieveerrorpositionsj1;j2;:::;jvandcorrectr(x).Denition2.12(Repetitioncode).Thebinaryrepetitioncode1noflengthnisthesetoftwocodewords1n(theallones)and0n(theallzeros).Ithasdimension1andcorrectioncapacitybn1 2c.The1ncodeisanerror-correctingcodewhereencodingisdonebyrepeatingthemessagebitntimes.Decodingisdonebymajoritydecision;itoutputs1ifthereisamajorityof1and0otherwise.2.2.TheHQCpublickeyencryptionscheme.HammingQuasi-Cyclic[1,3]isacode-basedIND-CCA2secureencryptionschemewhosesecurityreliesonthesyn-dromedecodingproblem.ItisobtainedbyapplyingtheHHKtransformation[12]ontheIND-CPAconstructiondenotedHQC.PKE(depictedinFigure1).HQCusestwotypesofcod
5 es:atensorcodeCofgeneratormatrixGandaran
es:atensorcodeCofgeneratormatrixGandarandomdouble-circulant[2n;n]-codewithaparitycheckmatrix(1;h).ThecorrectnessofHQCreliesonthedecodingcapabilityofthecodeC.In-deed,Decrypt(sk;Encrypt(pk;m))=mwhenC.Decodecorrectlydecodesvuy,namelywheneverw(xr2r1y+e).ThetensorproductcodeCisdenedbyC=B R,whereBisa[n1;k;]BCHcodeandRisthe[n2;1;bn21 2c]repetitioncode1n2.Encodingagivenmessagem2Fk12isdoneintwosteps.Firstly,itisencodedintob2Fn12usingtheaforementionedBCHcodeB.Secondly,eachcoordinatebiofbisre-encodedintoci2Fn22,for0in11,withtherepetitioncodeR=1n2.Thisyieldsthecodeword TIMINGATTACKONHQCANDCOUNTERMEASURE5(c0c1:::cn11).Similarly,decodinga=(a0a1:::an11)withai2Fn22for0in11isalsodoneintwosteps.Firstly,therepetitioncodeRdecodeseachaiintoabitbi.SecondlytheBCHcodeBdecodesthewordb=(bi)0in11intothemessage.Setup(1):Generateandreturnparametersparam=(n;k;;G;!;!r;!e)KeyGen(param):{sk=(x;y)$ (Fn2)2suchthat!(x)=!(y)=!{h$ Fn2{pk=(h;s=x+hy){Return(pk;sk)Encrypt(pk;m):{r=(r1;r2)$ (Fn2)2suchthat!(r1)=!(r2)=!r{u=r1+hr2{e$ Fn2suchthat!(e)=!e{v=mG+sr2+e{Returnc=(u;v)Decrypt(sk=(x;y);c=(u;v)):{a=vuy{b=(R:Decode(a0);R:Decode(a1);:::;R:Decode(an11)){m=B:Decode(b){Returnm Figure1.DescriptionofHQC.PKE[1].3.CorrelationbetweendecodingtimeanderrorweightInthissection,weshowthatthereexistsacorrelationbetweentheweightoftheerrortobedecodedandtherunningtimeoftheBCHcodesdecodingalgorithm,assumingBerlekamp'ssimpliedalgorithm[14](seeappendixA)isusedforthesecondstepofdecoding.WenextdescribeanoracledistinguishingBCHcodewordswithouterrorsfromthosewithoneerrorexactlyusingtherunningtimeoftheHQC.Decryptalgorithm(seeFigure1).Berlekamp'ssimpliedalgorithm(seeappendixA)isaniterativealgorithmsolv-ingthesetofequations(1).Itcompletesiniterations.Itstartswith(x)=1.Atiteration,itcomputesaquantityd,calleddiscrepancy,whosevalueis0ifthethequationfromsystem(1)holds
6 .Ifnot,itcorrects(x)suchthatequatio
.Ifnot,itcorrects(x)suchthatequationholds.Theloopinvariantisthatafteriterations,therstequationsofsystem(1)areveried.LookingatthepseudocodefromappendixA,onecanseethat:Foracodewordwithouterror,alldiscrepanciesarezeroandthealgorithmcompleteswithoutcorrections.Foracodewordwithoneerror,therstsyndromeisj1wherej1istheerrorpositionandonecorrectionisneeded.AssumingconstantrunningtimefortheotherstepsofB:Decode(syndromescom-putationandrootssearch)aswellastheotherpartsoftheHQC.Decryptsubrou-tine(multiplicationandrepetitioncodedecoding),onecanbuildtheaforemen-tionedoracle.LetOHQCTimedenoteatimingoraclereturningtherunningtimeofthe 6TIMINGATTACKONHQCANDCOUNTERMEASUREHQC.Decryptalgorithm.Wenowexplainhowtoconstructanoracle,denotedbyOHQC01,returningtheweight(0or1)oftheerrorcorrectedbytheBCHcode,usingOHQCTime.TheoracleOHQC01takesasinputanHQCpublickeypk(whichimplicitelydenesaBCHcodeB)andaciphertextc=(u;v).TheoraclefeaturesaninitializationstepInit(seeAlgorithm1)andanevaluationstepEval(seeAlgorithm2).TheInitstepcomputestheexpectedrunningtimesT0andT1whentheBCHcodecorrects0and1errorrespectively.ToobtainthesetimesT0andT1,theproperrequestshavetobesubmittedtoOHQCTime.Inordertoconstructthem,onehastoaccountfortheadditionnallayersofmultiplicationandRdecodingsontopofBCHdecoding.Therepetitioncodelayerseesitsinputa,oflengthn=n1n2,asn1blocksofn2bits:a=(a0;a1;:::;an11)ai2Fn22Eachblockaigivesabitbioftheoutputvectorb(fedtotheBCHdecoder)wherebi=1iftheblockcontainsamajorityof1andbi=0otherwise.TocomputeT0andT1wesimplyquerythetimingoracleOHQCTimeandmeasureitsresponsetimewithu=0nandv=0ntogetanestimationofT0andu=0nandv=(1n20nn2)togetanestimationofT1asb=(10n11).AsdescribedinAlgorithm1,forT1wemakeasampleofprequestsandretaintheirmeanastheestimate.Thecomplexityofthisinitializationstepisthatof1+pdecodingswhichwillbenegligiblewithrespecttotherestoftheattack.TheEvalsteptakesawordcasinputandguesseswhetherornottheBCHcodecorrectsanerrorduringtheHQCdecryptionofc.
7 Tothisend,itcallsOHQCTime(pk;c),yielding
Tothisend,itcallsOHQCTime(pk;c),yieldingtherunningtimet,andoutputstheerrorweightisuchthatjtTijisminimal.ThecomplexityofaOHQC01request(i.e.anEvalstep)isequaltothecomplexityofanHQCdecryption,namelyO(np n)operationsinFqm(undertheassumption=O(p n)asisthecaseinHQC,seesection4.2). Algorithm1:InitstepofOHQC01 Input:ApublickeypkAprecisionparameterpOutput:Acouple(T0;T1)ofexpectedrunningtimesT0 OHQCTime(pk;02n)T1 0fori2(0;1;:::;p1)do b$ f1;2;:::;n1gc (0(b1)n21n20nbn2)T1 T1+OHQCTime(pk;c) T1 T1=preturn(T0;T1) TIMINGATTACKONHQCANDCOUNTERMEASURE7 Algorithm2:EvalstepofOHQC01 Input:ApublickeypkandaciphertextcExpectedrunningtimesT0andT1Output:Theerrorweight0or1thattheBCHcodeBcorrectedduringHQC.Decrypt(sk;c)t OHQCTime(pk;c)returnisuchthatjtTijisminimal 4.PracticabletimingattackagainstHQCInthissection,wepresentaside-channelchosenciphertextattackagainstHQC.Thisattackisarealthreatasithasapolynomialcomplexityandrequiresarea-sonableamountofrequests.Itproceedsbyiterationsuntilthekeyyisrecovered.Werstgiveabriefoverviewoftheattackinsection4.1.Wefollowbydescrib-ingitsrsttwoiterationsinsections4.2and4.3.Finally,weestimateitssuccessprobabilityinsection4.4anddiscusstheattackcomplexityandbandwidthcostinsection4.5.4.1.Attackoverview.ThekeyyhasaHammingweightof!,meaningitcontains!bits1andn!bits0.Theobjectiveoftheattackistorecoverthesupportofy,i.e.(thepositionsof)all1's.Considersecretkeyyasn1blocksofn2bits.AfterinitializingtheoracleOHQC01,theattackproceedsbyiterations.Atiterationi,theattacksearchesblockbyblock,ndingoutall1'sfromeachblockcontainingexactlyi.Thisisdonebyqueryingtheoraclewithappropriaterequests.Forallrequests,thevectoruischosenasu=u:=(10n1)suchthatuy=yanda=vy.Theinputaisn'tfeddirectlytotheBCHcodedecoderbutneedstogothroughtherepetitioncodedecoderrst.Soonewantstopickvsuchthatvyestablishesamajorityof1'sintheblockthatvalonewouldn'thave.Thisnaturallyleadsustoconsidervectorsvhavinga1inbn2 2cpos
8 itionsofablockvi.Doingso,eitherbloc
itionsofablockvi.Doingso,eitherblockyihasa1inoneoftheremainingpositionswhichleads(vy)itohaveamajorityof1's,andtheoraclereturns1;orblockyihasno1'sintheremainingpositions,(vy)ihasnomajorityof1's,andtheoraclereturns0.Eitherwaytheoracleresponseleaksinformationonblockyi'scontent.Neverthe-less,thisstrategydoesnotalwaysworkasycanhavemultiple1'sperblock.Whenitdoes,these1'scouldcancelthosewesetinvandbreakourmajority,preventingustogaininformation.Thiscomplexiesourtaskandisthereasonwhywesplittheattackindierentiterations,eachdesignedtosearchwithiny'sblocksforacertainnumberof1's.Forthesakeofclarityandsimplicity,weonlydescribethersttwoiterations.4.2.Firstiteration.Duringtherstiteration,weaimtorecoverall1'sofyaloneintheirblock.Let'sconsiderthe(i+1)-thblockyiofy(0in11)andvithe 8TIMINGATTACKONHQCANDCOUNTERMEASUREcorrespondingblockofv.Inordertodeterminethepositionofaneventuallone1inyi,westartqueryingtheoraclewith(u;v)suchthat:vj=0n2ifj6=ivi=(1bn2 2c0dn2 2e)Iftheoracleresponseis1,itmeansBcorrectedanerror,thusyihasa1inoneofitslastdn2 2epositions.Proceedingbydichotomy,wecanthensubmittotheoraclethequery(u;v)with:vj=0n2ifj6=ivi=(0dn2 2e 21bn2 2c0dn2 2e 2)Forexample,ifn2=31,ourrstrequestwouldbewithvi=(115016).Assumingaresponse1wewouldidentifya1inoneofthelast16positionsandfollowwithasecondrequestwherevi=(0811508),reducingbyhalfthesetofremainingcandidatesforthepositionofthe1.Thisallowsustopinpointthepositioninblog2n2c+1requests.Ifwegetaresponse0toourrstrequest,thesameamountofrequestsisenoughtoeitherndthepositionofthelone1orknowtherearen'tany.However,sincetherearemanymoreblockswithout1thanblockswithany,onecanreducethenumberofrequests.Insteadthesecondrequestis(u;v)with:vj=0n2ifj6=ivi=(0dn2 2e1bn2 2c)Thisway,iftheoraclereturns0,onecanimmediatelydismisstheblockwiththissecondrequestasitdoesnothaveexactlyone1.Thisimpliestoperformanextrarequestifitturnsoutthere'sa1tondbutsavesu
9 sblog2n2c1requestsmostofthetime.Sinc
sblog2n2c1requestsmostofthetime.Sincethereareatotalofn1blocks,andthatyhasatmost!blockscontainingasingle1,therstiterationrequiresatmost2(n1!)+!(blog2n2c+1)requests.Let'sexaminethecomplexityofthisiteration.Arequestamountsto:thecomputationofvuy.Theproductcomplexityis2!n+(!1)n(rotating!arraysofsizenandsummingtheresultingvectors).Withthenaladdition,thisiteration'scomplexityis3!n.n1R-decodingsofcomplexityn1((n21)+1)=n(foreachofthen1blocks,itsn2bitsaresummedandacomparisonisdone).aB-decodingofcomplexityO(n21)undertheHQChypothesis=O(p n).Undertheassumption!=O(p n),wegetarequestcomplexityofO(np n)andanoverallcomplexityinO(n5 2)fortherstiteration.Theprobabilitythattheattackissuccessfulafterthisrstiterationislowenough(seesection4.4)thatitcallsforaseconditeration.4.3.Seconditeration.Therstiterationoftheattackidentiedall1'saloneintheirblocks.Wenowlookforblocksofycontainingexactlytwo1's.Inordertodoso,weneedtoanalyzewhathappenswhenoneencounterssuchablockduringtherstiteration.Therearetwokindsofsituations:casea:both1'sareinthesamehalfoftheblock(includingthemiddlepositionifn2isodd).Ifthey'reintheupperhalf,ourrstrequestgetsaresponse1andweendupidentifyingthepositionofthe1closertothemiddleoftheblock.Ifthey'reinthelowerhalf,ourrstrequestgetsa TIMINGATTACKONHQCANDCOUNTERMEASURE9response0butoursecondrequestgetsaresponse1andweagainendupidentifyingthepositionofthe1closertothemiddleoftheblock.caseb:bothhalveshavea1(notethatthecasewheren2isoddandthereisa1inthemiddlewouldhavebeendetectedalready).Inthatcasethersttworequestsreturn0andtheblockisdiscarded.Theseconditerationwillbedividedintwophasestreatingblocksfallingineachcase.Onecanremarkthatthereshouldberoughlythesameamountofblocksfallingineachcase,simplybecauseifonexesapositioninablockandrandomlypicksanotherpositionoftheblock,there'salmostasmanypositionsleftinthesamehalfasintheotherhalf.4.3.1.Phase1.Herethesearchisfocusedonblocksinwhicha1hasalready
10 beenidentied.Clearlythissituationis
beenidentied.Clearlythissituationisverysimilartotherstiteration.Wecanjustignorethe1weknowof,considertheblockisoflengthn21andassumeweneedonelesstoachievemajority.Thiscanbedoneusingdichotomyasintherstiterationexcepteachtimewepickbn2 2c1positionsoutofthesen21.Thisphasecanbeperformedecientlyasatmostb! 2cblockshavetobelookedinto.Thismakesamaximumofb! 2c(blog2n2c+2)requests.Underthehypothesis!=O(p n),thisphasecomplexityis:b! 2c(blog2n2c+2)O(np n)=O(n2log2n)4.3.2.Phase2.Nowweturntotheremainingblocks.Wewanttocatchthosecontainingpreciselytwo1's.Let'srecallthatintheeventofsuchablock,ithasa1ineachblockhalf(andnoneinthemiddleifn2isodd).Wecangeneralizethesamestrategyappliedintherstiteration;wecandistinguishiftheblockcontainsornotapairof1'sinfourrequests(u;v)withvj=0ifj6=iand:vi=(1bn2 2c1 20dn2 2e+1 21bn2 2c1 20dn2 2e+1 2)vi=(0dn2 2e+1 21bn2 2c1 20dn2 2e+1 21bn2 2c1 2)vi=(1bn2 2c1 20dn2 2e+1 20dn2 2e+1 21bn2 2c1 2)vi=(0dn2 2e+1 21bn2 2c1 21bn2 2c1 20dn2 2e+1 2)Sinceoneknowsthe1'sareindierenthalvesoftheblock,thereareonlyfourdierentpairsofquarterstheycanbein.Eachoftheaforementionedrequeststestsonesuchpair.Therefore,iftheoraclereturns0tothesefourrequests,theblockcontainseitherno1'sormorethantwo.Iftheoracleanswers1tooneoftheserequests,oneretrievestworangesofindices,bothcontaininga1.Thenproceedingbydichotomyforeachrange,onecannarrowitdowntoasingletoninlog2dn2 2e+1 2+1requests.Intheworstcasescenario,wehaveb! 2cblockscontainingtwo1's,noneofwhichhavebeendetectedyet.Thistakes! 24+2log2dn2 2e+1 2+2+4n1! 2requeststondthemall,fromwhichwederivetheseconditerationcomplexityof:2! 2log2dn2 2e+1 2+1+4n1O(np n)=O(n5 2) 10TIMINGATTACKONHQCANDCOUNT
11 ERMEASURE4.4.Successprobabilityestimatio
ERMEASURE4.4.Successprobabilityestimation.Let'scalculatetheprobabilitiesthatyhasbeenretrievedaftereachiteration.Letthefollowingeventsbefor0ibn1 2c:Ai:\yhasexactlyiblockswithtwo1'sandnoblockwithmore."A:\yhasatmosttwo1'sperblock."TheeventA0canalsobedescribedastheattackbeingsuccessfulaftertherstiteration.Thismeansyhas!blockscontainingasingle1forwhichwehaven2positionstochoosefromandn1!blockscontainingnone.Therefore:P(A0)=n1!n21!WithHQC-128-1[1]parametersn1=796,n2=31and!=67,onehasP(A0)'0:0625.Onerecover6.25percentofpotentialkeysyaftertherstit-eration.Let'snowcomputetheprobabilityP(A)thattheattackissuccessfulafteratmosttwoiterations.AisthedisjointunionoftheAi:P(A)=bn1=2cXi=0P(Ai)P(A)=n!1bn1=2cXi=0n1in22in1i!2in21!2iWithn1=796,n2=31and!=67,onendsP(A)'0:9344.93percentofpotentialkeyshavebeenretrievedaftertheseconditeration.Onecouldshowthattheattacksuccessprobabilityafterthreeiterationsisabove99percent.4.5.Attackcomplexityandbandwidthcost.Table1presentstheattackcom-plexityandthenumberofrequiredrequestswithrespecttoHQCparameters.Sincethemultiplicationtakesmostofthedecryptionworkload,wetooktwiceitscom-plexity(i.e.6!n)asanupperboundofarequestcomplexity.WeimplementedtheattacklocallyforHQC-128-1.Table1assumeseachoraclerequestisdoneonce.However,inareallifescenario,dierentrunsofthesamerequestusuallyyieldslightlydierentexecutiontimes.ThisderailstheattackiftherealexecutiontimeisclosertoTithanT1ibutthemeasuredexecutiontimeisclosertoT1ithanTifori=0;1.Tomitigatethiseect,wetakethestandardapproachofrepeatingeachrequestseveraltimes,eachtimemeasuringtheexecutiontime,andtakingthemedianofthebatchasexecutiontimeestimate.Thetestswereperformedonamachinewith16GBofmemory,equippedwithanIntelcorei7-7820XCPU@3.60GHzandwithHyper-Threading,TurboBoostandSpeedStepfeaturesdisabled.Onthismachine,repeatingeachrequestninetimes,theattackagainstHQC-128-1takeslessthanaminutetocomplete.W
12 eranathousandattacks.Asexpected,7%ofthem
eranathousandattacks.Asexpected,7%ofthemfailbecausethekeyyhasablockwithatleastthree1's.5%ofthemalsofailbecauseoftheaforementionedrandomnatureofmeasurements.Thiscanbeloweredbyraisingtherepeatcounttotheexpenseofahigherrunningtime.Overall88%ofattackssucceed.5.ConstanttimedecodingofBCHcodesAconstanttimeBCHcodedecodingalgorithmnaturallythwartstheattack.Inthissectionwediscusshowtoconstructsuchanalgorithm.Westartbyprecising TIMINGATTACKONHQCANDCOUNTERMEASURE11 Complexityupperbound Requests 1281 1922 2563 1281 1922 2563 OracleInit(p=1) 225 226 227 2 2 2 Firstiteration 235 236 237 1793 1936 2257 Seconditeration-phase1 231 234 235 198 350 528 Seconditeration-phase2 235 237 238 3448 3564 3844 Total 236 238 239 5441 5852 6631 128-1:128-bitsecurityandaDecodingFailureRate(DFR)lessthan264192-2:192-bitsecurityandaDFRlessthan296256-3:256-bitsecurityandaDFRlessthan2128Table1.AttackcomplexityandbandwidthcostagainstHQCtheconstanttimemodelweareconsideringanddiscusshowonecantranformanonconstanttimealgorithmintoaconstanttimeone(section5.1).Wethenapplythesetechniquestoniteeldarithmetic(section5.2),syndromesandrootscomputation(section5.3)andELPcomputation(section5.4).ThisallowsustoprovidetwovariantsofaconstanttimealgorithmtoBCHcodedecoding.Tonish,weprovidetheresultsofourtestsanddiscusswhichvariantshouldbeconsidereddependingonthechosenBCHcodeandthetargetedmaterial(section5.5).5.1.Constanttimeimplementation.Forconstanttimeimplementation,twosecuritymodelsareusuallyconsidered:fullconstanttime,wherethealgorithmrunningtimeisindeedconstant;andtimingattackresistant,wherethealgorithmrunningtimeisindependantofitssecrets(althoughitsrunningtimemayvary).SinceanattackercanforcetheBCHcodedecodertousethesecretyasitsin-put(withciphertext(0n;1n20nn2)forexample),wehereafterconsiderthefullconstanttimemodel.Therearethreekindsofobstaclestoconstanttimeimplementation:loopswhoseboundisinput-dependant,brancheswhoseconditionisinput-dependantandinput-dependantmemoryaccesses
13 .Naturalxesforeachoftheseobstaclesw
.Naturalxesforeachoftheseobstacleswouldrespec-tivelybe[16]:Topatchloopswhoseconditiondependsuponinputsbysupplyingacon-stantbound(themaximumnumberofiterations)andperformingdummyoperationsoncetheoriginalboundhasbeenreached.Topatchbrancheswhoseconditiondependsuponinputsbyexecutingbothbranchesandusinga agtocontrolwhichbranchiseectivelyexecuted.Topatcharrayaccesseswhoseindexdependsuponinputseitherbyelimi-natingthemorbyensuringthecorrespondingaddressisalreadycached.Dealingwithleakingarrayaccessescanbedoneinseveralways.WaltersandSinhaRoy[16]suggestpatchingeachsuchaccessbyscanningthewholearraytoloaditintothecache.Fornestedarrayaccesses,thisoperationmayinduceahuge 12TIMINGATTACKONHQCANDCOUNTERMEASUREperformancepenalty.Onemayscanthearraylessoften,butitrequiresbeingcarefulaboutaddressesnotbeingevictedfromtheL1cache.Onealsohastobewaryofthecompilerwiththisapproach,ascompilerstendtoidentifythesekindsof\donothing"loopsandoptimizethemout.Wewilldenotetheapproachofscanninganarrayhavingpotentialleakingaccessesonce(andonlyonce)asacache-dependantpatchasitworksonlyifthecacheisbigenoughorifcodeparametersaresmallenough.Notethateveniftheaccessdoesn'tleakanymore,itstill,striclyspeaking,dependsontheinputs.Thesecondapproachisacache-independantpatch,whichconsistsofremovingthearrayaccessentirely.Theideaistorstdeterminetherangeofindicesthatcanpotentiallybeaccessed,thenlooponalltheseindices,eachtimeperformingeitheradummyoperationortherealoneasneeded.Nowrecallfromsection2.1thatBCHcodedecodinghasthreesteps:syndromescomputation,ELPcomputationandrootscomputation.ToprovideaconstanttimeimplementationofBCHcodedecoding,weneedtoachieveconstanttimeforGaloiseldarithmeticaswellasforeachofthesethreesteps.Weproposetwovariants:onewithsomecache-dependantarrayaccessesandonewithoutanycache-dependantarrayaccess.5.2.Constanttimeeldarithmetic.Allthreestepsofdecodingmakeabundantuseofeldoperations(mostlyadditionsandmultiplications)thatneedbeconstanttime.Addition.Foradditionweusecoe
14 ;cient-wisexor.Multiplication.Weproposet
;cient-wisexor.Multiplication.Weproposetwoimplementationsformultiplication:lookuptables.Givenlogandantilogtables(relativetoaprimitiveele-ment2F2m),multiplyingtwoelementsofF2misdonebytakingtheirlogarithms,addingthemmodulo2m1,andtakingtheantilog.theCLMULinstructionset.Thisisanextensiontothex86instructionsetformicroprocessorsfromIntelandAMD.Thepclmulqdqinstructioncomputesthe128-bitcarry-lessproductoftwo64-bitvalues.Wethenreducemodulotheprimitivepolynomialusingbitwiseoperations.Implementation2isconstanttimebutrequiressupportfortheCLMULinstruc-tionset.NotethatifoneknowsofamoreecientmultiplicationimplementationoriftheCLMULinstructionsetitnotavailable,onecanuseanyothermultiplica-tionimplementationaslongasitisconstanttime.Implementation1isfasterbutnotconstanttimebyitselfbecauseitusesthreeinput-dependantarrayaccesses.However,usingtheaforementionedcache-dependantpatch,thatisscanningbothlogandantilogtablesatthebeginningofdecoding,wemayhaveimplementation1runinconstanttime,dependingoncachesizeandcodeparameters.Thesetwoun-derlyingimplementationsforeldmultiplicationdistinguishourtwoconstanttimeimplementationvariants.Squaring.Forsquaringweusebitwiseoperationswithconstantshiftamounts.Inversion.Forinversionweusefastexponentiation.5.3.Constanttimesyndromescomputationandrootscomputation.Westartwithsteps1and3ofBCHdecoding,i.e.computationofsyndromesandroots. TIMINGATTACKONHQCANDCOUNTERMEASURE13ForbothwebenetfromfastalgorithmsdeveloppedbyBernsteinetal.[6],whobuiltonpreviousworkfromGaoandMateer[10].TheyuseanadditiveFastFourierTransform(FFT)algorithmtocomputethesyndromesanditstransposealgorithmtocomputetheELProots.Boththesealgorithmsareconstanttime.WereferthereadertotheaforementionedpapersformoredetailsontheadditiveFFT.Wedescribeasmalladjustmenttothesealgorithms.AdditiveFFTisarecursivealgorithmwhichcallstwocopiesofitself.Ateachrecursionlevel,someconstants(calledgammasanddeltas)arecomputedusingeldoperations.Bernsteinetal.proposeabitslicedversionofthealgorithm.Sin
15 ceweuseanonbitslicedversionhere,eld
ceweuseanonbitslicedversionhere,eldoperationsaremorecostly.Asaresult,recomputingtheseconstantsismoreexpensivethanaccessingthemfromanarray(evenfactoringsomeL1cachemisses).Therefore,wecomputetheseconstantsonlyonceandstoretheminlookuptablesforoursubsequentneeds.Notethatthearrayaccessestothesetablesarenotsubjecttotimingleaks.5.4.Constanttimeerrorlocatorpolynomialcomputation.HerewestartwithBerlekamp'ssimpliedalgorithm[5,13](seeappendixA).Wethenusethestandardtechniquesdescribedinsection5.1tomakeitconstanttime,optingforthecache-independantapproachwhenweencounterinput-dependantarrayaccesses.Becausepseudocodehidesimplementationdetailsbynaturewhereasconstanttimeisanimplementation-sensitiveproperty,wegiveaconstanttimeCimplementationofBerlekamp'ssimpliedalgorithminappendixB.5.5.Testresults.Thebenchmarksareperformedonamachinewhichhas16GBofmemoryandisequippedwithanIntelcorei7-7820XCPU@3.60GHz.Hyper-Threading,TurboBoostandSpeedStepfeaturesaredisabled.L1datacacheis32kilobytes.WepicksixBCHcodesofvariousparameters.ForeachchosenBCHcode[n;k;],weconducttwotests(oneforeachimplementationofeldmultiplication)asfollows.Wegenerate10000erroneouscodewordswithadistributionoferrorweightsbetween0and1:1whereerrorspositionsarepickedrandomly.Eachcode-wordisdecoded100times.Outofeachbatch,theminimumexecutiontimeistakenasestimateexecutiontimefordecodingthatcodeword.Foreacherrorweightofthedistribution,wealsomonitorminimumandmaximumoftheseminimumrunningtimes.Attheendofthetest,foreachofthetwocodewordsgivingglobalmini-mumormaximum,werunanother100decodingsandtaketheminimumtoconrmwhetherornottheseextremumsarecircumstantial(theserecomputedvaluesdon'tappearonthegraphs).ForthetwoBCHcodes[796;256;60]and[766;256;57]usedinHQC,weusesomeoptimizations.FirstlyweusehardcodedlookuptablesforbothF1024andtheFFTconstants.SecondlyweusealloptimizationssuggestedbyBernsteinetal.[6]regardingtheadditiveFFT,namelypickinganidealbasistoavoidtwisting;dealingwith2-coecentand3-coecientpolynomialsmoree&
16 #14;-cientlyandunrollingboththeFFTandits
#14;-cientlyandunrollingboththeFFTanditstranspose.NotethatthesecodesareshortenedBCHcodes.Becauseitdoesn'tfundamentallyimpactourcase,wewon'tdiscussitherebutwereferthereaderto[1]formoredetails.Animplementationwillbemadeavailableatpqc-hqc.org.Wegivetheresultsintheformofgraphs(seegures2and3).Figure2featuresthedecodingofallsixcodesusinglookuptablesforeldmultiplicationwhereasgure3featuresthesesamecodesusingthepclmulqdqinstructionforeldmul-tiplication.Eachgraphisverticallycenteredaroundthemeanexecutiontime 14TIMINGATTACKONHQCANDCOUNTERMEASUREtmean.Verticalaxesspreadfrom0;95tmeanto1;05tmean,exceptforthelastcode[32767;16412;1315]whereitstretchesfrom0;85tmeanto1;15tmean.Asexpected,ononehand,thesecondimplementionofmultiplicationlooksper-fectlyconstanttime(seegure3).Forallsixcodes,regardlessofnumberoferrors,therelativedierencebetweenanyextremumandthemeandecodingtimealwaysstaysunder1%.Ontheotherhand,therstimplementationappearstobeconstanttimeonlyfortherstthreecodes,thatisifm12,i.e.uptoF4096(seetherstthreegraphsofgure2).Abovethat,therstimplementationrunsintocacheissues.Indeed,ourimplementationusesuint16_ttorepresenteldelements,whichmeanstwobytesperelement.ForF8192,logandantilogtablesrequire228192=32767bytes,whichcompletelylltheL1datacacheof32kilobytesfortheconsideredma-chine.Fromthere,anycomputationwillleadtoaddressesbeingevictedfromthecache,whichinturnwillcausetimingleaks(seethelastthreegraphsofgure2).ForF4096,thelookuptablestakeonlyhalfthememory,whichseemstoleaveenoughforourdecodingneeds.However,forthesmalleldswhereitisconstanttime,therstimplementationhasbetterperformancethanthesecond(seetables3and4).FortheBCHcodesusedinHQC,observeddecodingtimesare30%faster.Soourrecommendationwouldbetousetherstmultiplicationimplementation(lookuptables)forBCHcodesoneldF4096orsmaller,whichisthecaseofHQC,andtousethesecondmultiplicationimplementation(viapclmulqdq)forlargerelds.Weintegratedtheconstantti
17 meBCHdecodingalgorithmintheoptimizedim-p
meBCHdecodingalgorithmintheoptimizedim-plementationofHQCIND-CCA2tomeasuretheperformanceoverhead.WerestrictourmeasurementstothelookuptablesvariantoftheBCHdecoding.Intable2wereportCPUcyclescountsforthedecapsulationstepofHQCacrossthedier-entsecuritylevelswitheithertheoriginalBCHimplementationortheconstanttimevariant.Onecanseethatourconstanttimeimplementationonlyaddsalittleoverheadbetween3.21%and11.06%.Table2.Runningtime(CPUcycles)andoverheadwhenoriginalorconstanttimeBCHdecodingisusedinthedecapsulationstepofHQC HQC.Decaps Overhead OriginalBCH ConstanttimeBCH HQC-128-1 507285 563414 11:06% HQC-192-1 947552 995272 5:05% HQC-192-2 992057 1047054 5:54% HQC-256-1 1490993 1538824 3:21% HQC-256-2 1562207 1616673 3:49% HQC-256-3 1617269 1675195 3:58% TIMINGATTACKONHQCANDCOUNTERMEASURE156.ConclusionInthiswork,wehavehighlightedacorrelationbetweentheweightoftheerrortobedecodedandtherunningtimeofdecodingBCHcodeswhenBerlekamp'ssimpliedalgorithmisstraightforwardlyimplemented.Next,wehavedevisedanecientchosenciphertexttimingattackagainstHQCbasedonthatcorrelation.WethenimplementeditinsoftwareandcarrieditoutagainstdierentsecuritylevelsofHQC.TheattackisveryecientasitrecoversthesecretkeyyoftenenoughinacoupleiterationsanditsoverallcomplexityisO(n5 2).Inordertothwartthisattack,weproposedtwovariantsofaconstant-timedecodingalgorithmforBCHcodes.Furthermore,weintegratedournewconstanttimealgorithminthelatestversionofHQCandshowedthatthiscountermeasureresultsinminimaloverheadperformance.References[1]C.Aguilar-Melchor,N.Aragon,S.Bettaieb,L.Bidoux,O.Blazy,J.-C.Deneuville,P.Gaborit,E.PersichettiandG.Zemor,HammingQuasi-Cyclic(HQC),2017.[2]C.Aguilar-Melchor,N.Aragon,S.Bettaieb,L.Bidoux,O.Blazy,J.-C.Deneuville,P.GaboritandG.Zemor,RankQuasi-Cyclic(RQC),2017.[3]C.Aguilar-Melchor,O.Blazy,J.-C.Deneuville,P.GaboritandG.Zemor,EcientEncryptionfromRandomQuasi-CyclicCodes,IEEETransactionsonInformationTheory,64(2018),3927{3943.[4]S.Bettaieb,L.Bidoux,P.GaboritandE.Marcatel,Prevent
18 ingtimingattacksagainstRQCusingconstantt
ingtimingattacksagainstRQCusingconstanttimedecodingofGabidulincodes,inInternationalConferenceonPost-QuantumCryptography,Springer,(2019),371{386.[5]E.R.Berlekamp,Non-binaryBCHdecoding,Technicalreport,NorthCarolinaStateUniver-sity.Dept.ofStatistics,1966.[6]D.J.Bernstein,T.ChouandPSchwabe,Mcbits:fastconstant-timecode-basedcryptography,InInternationalWorkshoponCryptographicHardwareandEmbeddedSystems,pages250{272.Springer,2013.[7]R.Chandra.BoseandD.K.Ray-Chaudhuri,Onaclassoferrorcorrectingbinarygroupcodes,Informationandcontrol,3(1960),68{79.[8]J.-P.D'Anvers,F.VercauterenandIngridVerbauwhede,OntheimpactofdecryptionfailuresonthesecurityofLWE/LWRbasedschemes,IACRCryptologyePrintArchive,2018:1089,2018.[9]E.M.Gabidulin,Theoryofcodeswithmaximumrankdistance,ProblemyPeredachiInfor-matsii,21(1985),3{16.[10]S.GaoandT.Mateer,Additivefastfouriertransformsoverniteelds,IEEETransactionsonInformationTheory,56(2010),6265{6272.[11]A.Hocquenghem,Codescorrecteursderreurs,Chires,2(1959),147{56.[12]D.Hofheinz,K.HovelmannsandE.Kiltz,AmodularanalysisoftheFujisaki-Okamototrans-formation,inTheoryofCryptographyConference,pages341{371.Springer,2017.[13]L.L.JoinerandJ.J.Komo,DecodingbinaryBCHcodes,InSoutheastcon'95,1995.[14]S.LinandD.J.Costello,inErrorcontrolcoding,PrenticeHallEnglewoodClis(2004).[15]X.Lu,Y.Liu,Z.Zhang,D.Jia,H.Xue,J.He,B.Li,K.Wang,Z.LiuandH.Yang,LAC:PracticalRing-LWEbasedPublic-KeyEncryptionwithByte-LevelModulus,IACRCryptologyePrintArchive,2018:1009,2018.[16]M.WaltersandS.SinhaRoy,Constant-timeBCHError-CorrectingCode,IACRCryptologyePrintArchive,2019:155,2019. 16TIMINGATTACKONHQCANDCOUNTERMEASURETable3.DecodingofsomeBCHcodeswithmultiplicationbytables BCHcode[n;k;] Runningtime(inCPUcycles) LuTSyndromesELPRootsTotal [766;256;57] 034240300892677891873 [796;256;60] 034646333592708695861 [4095;418;501] 8249129182721458991870042711521 [8191;7580;47] 12458727819123216186407616569 [16383;14598;130] 2458507896511660625526301760773 [32767;16412;1315] 503337253125817361393178667
19 722217535 Table4.DecodingofsomeBCHcodesw
722217535 Table4.DecodingofsomeBCHcodeswithmultiplicationbypclmulqdq BCHcode[n;k;] Runningtime(inCPUcycles) LuTSyndromesELPRootsTotal [766;256;57] 0427995073534017128226 [796;256;60] 0435605556234404134157 [4095;418;501] 9699747481745858933211025482880 [8191;7580;47] 13417644301661288311542953739 [16383;14598;130] 260450150141147417711066803352090 [32767;16412;1315] 484200214356714832791151418918996691 TIMINGATTACKONHQCANDCOUNTERMEASURE17 0 10 20 30 40 50 60 88000 90000 92000 94000 96000 DecodingofBCHcode[766;256;57](variant1) maximum mean minimum 0 10 20 30 40 50 60 92000 94000 96000 98000 100000 DecodingofBCHcode[796;256;60](variant1) maximum mean minimum 0 100 200 300 400 500 2600000 2650000 2700000 2750000 2800000 DecodingofBCHcode[4095,418,501](variant1) maximum mean minimum 0 10 20 30 40 50 600000 620000 640000 DecodingofBCHcode[8191;7580;47](variant1) maximum mean minimum 0 20 40 60 80 100 120 140 1700000 1750000 1800000 DecodingofBCHcode[16383;14598;130](variant1) maximum mean minimum 0 200 400 600 800 1;000 1;200 1;400 20000000 22000000 24000000 DecodingofBCHcode[32767;16412;1315](variant1) maximum mean minimum Figure2.Decodingexecutiontimes(inCPUcycles)ofvariousBCHcodesfordierenterrorweightswitheldmutliplicationim-plementedbylookuptables(variant1). 18TIMINGATTACKONHQCANDCOUNTERMEASURE 0 10 20 30 40 50 60 122000 124000 126000 128000 130000 132000 134000 DecodingofBCHcode[766;256;57](variant2) maximum mean minimum 0 10 20 30 40 50 60 128000 130000 132000 134000 136000 138000 140000 DecodingofBCHcode[796;256;60](variant2) maximum mean minimum 0 100 200 300 400 500 5300000 5400000 5500000 5600000 5700000 DecodingofBCHcode[4095,418,501](variant2) maximum mean minimum 0 10 20 30 40 50 920000 940000 960000 980000 1000000 DecodingofBCHcode[8191;7580;47](variant2) maximum mean minimum 0 20 40 60 80 100 120 140 3200000 3300000 3400000 3500000 DecodingofBCHcode[16383;14598;130](variant2) maximum mean minimum 0 200 400 600 800 1;000 1;200 1;400 17000000 18000000
20 19000000 20000000 21000000 DecodingofBCH
19000000 20000000 21000000 DecodingofBCHcode[32767;16412;1315](variant2) maximum mean minimum Figure3.Decodingexecutiontimes(inCPUcycles)ofvariousBCHcodesfordierenterrorweightswitheldmultiplicationim-plementedviapclmulqdqinstruction(variant2). TIMINGATTACKONHQCANDCOUNTERMEASURE19AppendixA.ELPcomputation Algorithm3:SimpliedBerlekampalgorithm[5,13] Input:AlistofsyndromesS1,S2,...,S2Output:Thecorrespondingerrorlocatorpolynomial(X)/*Initializethefollowingarray*/ ()(X) d l 2l 1 2 1 1 0 1 0 1 S1 0 0 /*Fillthearray'snextlinesasfollows*/repeat ifd=0then (+1)(X)=()(X)l+1=l ifd6=0then Findanotherline,whered6=0and2lismaximal(+1)(X)=()(X)+dd1X2()()(X)l+1=max(l;l+2()) Computed+1=S2+3+(+1)1S2+2+:::+(+1)l+1S2+3l+1Incrementandcompute2luntil=return()(X) 20TIMINGATTACKONHQCANDCOUNTERMEASUREAppendixB.ConstanttimeELPcomputationTheCfunctionbelowcomputestheerrorlocatorpolynomialusingaconstanttimeversionofBerlekamp'ssimpliedalgorithm.Ithasthefollowingfeatures:TheconstantPARAM_DELTAisthecorrectioncapacity1oftheBCHcode.ElementsofF2marerepresentedbyuint16_taspolynomials(m15).gf_mulistheGaloiseldmultiplication.Ittakestwoelementsandreturnstheirproduct.gf_inversecomputesanelementinverse.Itreturns0forinput0.syndromesisanarrayofsize2*PARAM_DELTAstoringthe2syndromes.sigmaisanarrayofsizePARAM_DELTA+1thatwillreceivethe+1coef-cientsoftheELP.Thefunctionreturnsthedegreeof(X)(anditscoecientsinthearraysigma).ThearrayX_sigma_prepresentsthepolynomialX2()(X).Insteadofmaintainingalistof(i)(X),weupdateinplaceboth(X)(arraysigma)andthecorrectivetermX2()(X)(
21 arrayX_sigma_p).Wedon'tcareabout
arrayX_sigma_p).Wedon'tcareabout(X)ifitsdegreeexceedsPARAM_DELTA[13].Sowedon'tcareaboutX_sigma_pifitsdegreeexceedsPARAM_DELTAeither.sigma_copyservesasatemporarysaveofsigmaincaseweneedittoupdateX_sigma_p.WeonlyneedtosavetherstPARAM_DELTA1coecientsofsigma. size tcompute elp(uint16 tsigma,constuint16 tsyndromes)fmemset(sigma,0,2(PARAM DELTA+1));sigma[0]=1;size tdeg sigma=0;size tdeg sigma p=0;uint16 tsigma copy[PARAM DELTA1]=f0g;size tdeg sigma copy=0;uint16 tX sigma p[PARAM DELTA+1]=f0,1g;intpp=1;//2rhouint16 td p=1;uint16 td=syndromes[0];for(size tmu=0;muPARAM DELTA;++mu)f//SavesigmaincaseweneedittoupdateX sigma pmemcpy(sigma copy,sigma,2(PARAM DELTA1));deg sigma copy=deg sigma;uint16 tdd=gf mul(d,gf inverse(d p));//0if(d==0)for(size ti=1;(i=2mu+1)&&(i=PARAM DELTA);++i)sigma[i]^=gf mul(dd,X sigma p[i]);size tdeg X=2mupp;//2(murho)size tdeg X sigma p=deg X+deg sigma p;//mask1=0xffffif(d!=0)and0otherwiseint16 tmask1=((uint16 t)d15); TIMINGATTACKONHQCANDCOUNTERMEASURE21//mask2=0xffffif(deg X sigma pdeg sigma)and0otherwiseint16 tmask2=((uint16 t)(deg sigmadeg X sigma p)15);//mask12=0xffffifthedeg sigmaincreasedand0otherwiseint16 tmask12=mask1&mask2;deg sigma=(mask12° X sigma p)^(~mask12° sigma);if(mu==PARAM DELTA1)break;//Updatepp,d pandX sigma pifneededpp=(mask12&(2mu))^(~mask12&pp);d p=(mask12&d)^(~mask12&d p);for(size ti=PARAM DELTA1;i;i)X sigma p[i+1]=(mask12&sigma copy[i1])^(~mask12&X sigma p[i1]);X sigma p[1]=0;X sigma p[0]=0;deg sigma p=(mask12° sigma copy)^(~mask12° sigma p);//Computethenextdiscrepancyd=syndromes[2mu+2];for(size ti=1;(i=2mu+1)&&(i=PARAM DELTA);++i)d^=gf mul(sigma[i],syndromes[2mu+2i]);greturndeg sigma;g Emailaddress:kyzdra@yahoo.frEmailaddress:slim.bettaieb@worldline.comEmailaddress:loic.bidoux@worldline.comEmailaddress:gaborit@unilim.frEmailaddress:etienne.marcatel@