APRACTICABLETIMINGATTACKAGAINSTHQCANDITSCOUNTERMEASUREGuillaumeWafoTa - PDF document

1 APRACTICABLETIMINGATTACKAGAINSTHQCANDITS
APRACTICABLETIMINGATTACKAGAINSTHQCANDITSCOUNTERMEASUREGuillaumeWafo-TapaWorldline,ZIRuedelapointe59113Seclin,FranceSlimBettaiebWorldline,ZIRuedelapointe59113Seclin,FranceLocBidouxWorldline,ZIRuedelapointe59113Seclin,FrancePhilippeGaboritUniversityofLimoges,XLIM-DMI,123,Av.AlbertThomas87060Limoges,FranceEtienneMarcatelAtos,68avenueJeanJaures78340LesClayes-sous-Bois,FranceAbstract.Inthispaper,wepresentapracticablechosenciphertexttimingat-tackretrievingthesecretkeyofHQC.Theattackexploitsacorrelationbetweentheweightoftheerrortobedecodedandtherunningtimeofthedecodingal-gorithmofBCHcodes.Forthe128-bitsecurityparametersofHQC,theattackrunsinlessthanaminuteonadesktopcomputerusing5441decodingrequestsandhasasuccessprobabilityofapproximately93percent.Topreventthisat-tack,weproposeaconstanttimealgorithmforthedecodingofBCHcodes.Ourimplementationofthecountermeasureachievesaconstanttimeexecutionofthedecodingprocesswithoutasignicantperformancepenalty.1.IntroductionHQC[1,3]isacode-basedIND-CCA2-securepublickeyencryptionscheme,whosesecurityisbasedonthehardnessofthequasi-cyclicsyndromedecodingproblem.Itisoneofthecandidatealgorithmsthathasadvancedtotheround2oftheNISTpost-quantumstandardizationproject.Inparticular,HQCreliesontensorproductcodes(BCHcodestensoredwithrepetitioncodes)initsdecryptionalgorithm.BCHcodesarealgebraiccodesintroducedintwoindependentworksbyBose,Chaudhuri[7]andHocquenghem[11].AlgorithmstodecodeBCHcodesuseGaloiseldarithmeticoperationsandbasicallyconsistsinthreesteps:syndromescomputation;error-locatorpolynomialcomputationandrootscomputation.Sofar,BCHcodeshavebeenusedtomitigatethedecryptionfailureinvariouspublickeyencryptionschemesbasedonhardproblemsofeithercodingtheory[1,3]orlattices[15].However,duetosidechanneltimingleakage,astraightforwarduse Keywordsandphrases.HQC,BCHdecoding,Timingattack,Constanttimeimplementation.1 2TIMINGATTACKONHQCANDCOUNTERMEASUREofBCHcodeswouldintroduceasecurityweaknessintheunderlyingcryptographicschemeswhenimplementedinsoftware.Infa

2 ct,D'Anversetal.[8]showedthatthesecurity
ct,D'Anversetal.[8]showedthatthesecurityofLAC,alattice-basedcryptosystem[15],couldbesignicantlyreducedifthereisasidechannelleakageduringtheerrorcorrectionofBCHcodes.Furthermore,HQCsharesthesameframeworkastheRQC[2,3]cryptosystem.Ithasbeenshownin[4]thatthisframeworkisvulnerabletoatimingattackintherankmetricsettingifthedecodingoftheunderlyingGabidulincodes[9]isimplementedinanonconstanttimefashion.AchievingaconstanttimeimplementationofthedecodingofBCHcodesischal-lenging.Inarecentwork,WaltersandSinhaRoy[16]proposedsuchaconstanttimeBCHdecodingimplementation.However,thealgorithmsusedforsyndromescomputationandrootscomputationarenotthemostecientknowninthelitter-ature.Contributions.Inthispaper,wepresentapracticabletimingattackagainstHQCthatcompletesundertheminute.Ascountermeasure,wegivetwovariantsofaconstanttimealgorithmforBCHcodes.Paperorganisation.Insection2,wegivesomepreliminariesoncode-basedcryptog-raphy,decodingBCHcodesaswellastheHQCcryptosystem.Next,insection3,wepresentacorrelationbetweentheweightoftheerrortobedecodedandthedecodingtimeofBCHcodes.Thisobservationisthecornerstoneofthetimingattackdetailedinsection4.Insection5,weintroduceaconstanttimeimplementa-tionthatconstitutesacountermeasuretothisattackaswellassomeexperimentalresults.Finally,weconcludethisworkinsection6.2.PreliminariesInthissection,wegivesomepreliminariesregardingtheHammingmetric,error-correctingcodesandtheHQCcryptosystem.2.1.Codingtheory.LetF2bethebinaryniteeldandFn2thevectorspaceofdimensionnoverF2forsomepositiveintegern.ElementsofFn2areconsideredasvectorsorpolynomialsinF2[X]=(Xn�1).Denition2.1(Support).Letx2Fn2.Thesupportofxisthesetofindicesi2[[0;n�1]]suchthatxi=1.Denition2.2(Hammingweight).Letx2Fn2.TheHammingweightofx,de-notedbyw(x),isthecardinalofitssupport,i.e.thenumberofitsnon-zerocoor-dinates.Denition2.3(Hammingdistance).Letx;y2Fn2.TheHammingdistancefromxtoy,denotedbyd(x;y),isdenedasw(x�y),i.e.thenumberofcoordinatesxandydieron.Denition2.4(Linearcode

3 ).Alinear[n;k]-codeCoflengthnanddimensio
).Alinear[n;k]-codeCoflengthnanddimensionkisalinearsubspaceofFn2ofdimensionk.Denition2.5(Generatormatrix).AmatrixG2Fkn2isageneratormatrixforthe[n;k]-codeCifC=mGm2Fk2 .Denition2.6(Parity-checkmatrix).AmatrixH2F(n�k)n2isaparity-checkmatrixforthe[n;k]-codeCifC=x2Fn2Hx�=0 . TIMINGATTACKONHQCANDCOUNTERMEASURE3Denition2.7(Correctioncapacity).LetCbealinear[n;k]-code.ThecorrectioncapacityofCisthelargest2Nsuchthatforallx2Fn2,thereisatmostonec2Csuchthatd(x;c).ThecodeCiscalleda[n;k;]-code.Denition2.8(Cycliccode[14]).AcodeCissaidtobecyclicifeverycyclicshiftofacodewordinCisalsoacodeword.Thatis,(c0;c1;:::;cn�1)2Cimplies(cn�1;c0;:::;cn�2)2C.Theorem2.9(Generatorpolynomial[14]).LetCbeacycliccodeoverF2.Thereexistsauniquepolynomialg(x)inCofminimalpositivedegree.Moreover,apoly-nomialc(x)isacodewordofCifandonlyifg(x)dividesc(x).Thepolynomialg(x)iscalledthegeneratorpolynomialofthecycliccodeC.HQCusesatensorproductcodeobtainedasthecombinationofaBCHcodewitharepetitioncode.Denition2.10(Tensorproductcode[1]).LetC1(resp.C2)bea[n1;k1](resp.[n2;k2])linearcodeoverF2.ThetensorproductcodeofC1andC2denotedC1 C2isdenedasthesetofalln2n1matriceswhoserowsarecodewordsofC1andwhosecolumnsarecodewordsofC2.Moreformally,ifC1(resp.C2)isgeneratedbyG1(resp.G2),thenC1 C2=nG�2XG1X2Fk2k12oTheorem2.11(BCHcode[14]).Foranypositiveintegersm3andt2m�1,thereexistsabinarycyclicBCH[n;k;]-codewiththefollowingproperties:n=2m�1;n�kmt;t.LetbeaprimitiveelementinF2m,andleti(x)betheminimalpolynomialofifor1i2.Thegeneratorpolynomialg(x)oftheBCH[n;k;]-codeistheleastcommonmultipleof1(x);2(x);:::;2(x),thatis,g(x)=LCMf1(x);2(x);:::;2(x)g:BCHcodesencoding.Giventhegeneratorpolynomialg(x)andamessageu(x)=u0+u1x+:::+uk�1xk�1,theencodingofBCHcodesconsistsofthreesteps:(1)Computea(x)=xn�ku(x).(2)Computeb(x)

4 =a(x)modg(x).(3)Formthecodewordc(x)=a(x)
=a(x)modg(x).(3)Formthecodewordc(x)=a(x)+b(x).BCHcodesdecoding.ThedecodingofBCHcodesalsoconsistsofthreesteps:(1)Computethe2syndromesfromthereceivedpolynomialr(x).Letc(x)denotethesentcodewordande(x)theerrorword,onehas:r(x)=c(x)+e(x)For1i2,thesyndromesSiaredenedas:Si=r(i)=e(i)(2)ComputetheErrorLocatorPolynomial(ELP)(x)usingthesyndromes(Si)1i2.Letvbethenumberoferrorsandletj1;j2;:::;jvbetheerrorpositions.Then:e(x)=xj1+xj2+:::+xjvSo:Si=(i)j1+(i)j2+:::+(i)jv(1i2) 4TIMINGATTACKONHQCANDCOUNTERMEASUREIntroducingtheerrorlocatorss=js,withs=1;2;:::;v,onecanwritethesyndromesmoreexplicitely:S1=1+2+:::+vS2=21+22+:::+2v...S2=21+22+:::+2vTheseareknownaspowersumsymmetricfunctions.Theyleadtothedenitionoftheerrorlocatorpolynomial:(x)=vYr=1(1+rx)=vXr=0rxr(i)1ivand(Si)1i2arethenrelatedbyNewton'sidentities:S1+1=0...S+1S�1+:::+�1S1+=0S+1+1S+:::+�1S2+S1=0...S2+1S2�1+:::+S1=0(1)(3)Computetherootsoftheerrorlocatorpolynomial(x).Theseroots�11;�12;:::;�1varetheinversesoftheerrorlocators.Oncefound,onecanretrieveerrorpositionsj1;j2;:::;jvandcorrectr(x).Denition2.12(Repetitioncode).Thebinaryrepetitioncode1noflengthnisthesetoftwocodewords1n(theallones)and0n(theallzeros).Ithasdimension1andcorrectioncapacitybn�1 2c.The1ncodeisanerror-correctingcodewhereencodingisdonebyrepeatingthemessagebitntimes.Decodingisdonebymajoritydecision;itoutputs1ifthereisamajorityof1and0otherwise.2.2.TheHQCpublickeyencryptionscheme.HammingQuasi-Cyclic[1,3]isacode-basedIND-CCA2secureencryptionschemewhosesecurityreliesonthesyn-dromedecodingproblem.ItisobtainedbyapplyingtheHHKtransformation[12]ontheIND-CPAconstructiondenotedHQC.PKE(depictedinFigure1).HQCusestwotypesofcod

5 es:atensorcodeCofgeneratormatrixGandaran
es:atensorcodeCofgeneratormatrixGandarandomdouble-circulant[2n;n]-codewithaparitycheckmatrix(1;h).ThecorrectnessofHQCreliesonthedecodingcapabilityofthecodeC.In-deed,Decrypt(sk;Encrypt(pk;m))=mwhenC.Decodecorrectlydecodesv�u
y,namelywheneverw(x
r2�r1
y+e).ThetensorproductcodeCisdenedbyC=B R,whereBisa[n1;k;]BCHcodeandRisthe[n2;1;bn2�1 2c]repetitioncode1n2.Encodingagivenmessagem2Fk12isdoneintwosteps.Firstly,itisencodedintob2Fn12usingtheaforementionedBCHcodeB.Secondly,eachcoordinatebiofbisre-encodedintoci2Fn22,for0in1�1,withtherepetitioncodeR=1n2.Thisyieldsthecodeword TIMINGATTACKONHQCANDCOUNTERMEASURE5(c0c1:::cn1�1).Similarly,decodinga=(a0a1:::an1�1)withai2Fn22for0in1�1isalsodoneintwosteps.Firstly,therepetitioncodeRdecodeseachaiintoabitbi.SecondlytheBCHcodeBdecodesthewordb=(bi)0in1�1intothemessage.Setup(1):Generateandreturnparametersparam=(n;k;;G;!;!r;!e)KeyGen(param):{sk=(x;y)$ (Fn2)2suchthat!(x)=!(y)=!{h$ Fn2{pk=(h;s=x+h
y){Return(pk;sk)Encrypt(pk;m):{r=(r1;r2)$ (Fn2)2suchthat!(r1)=!(r2)=!r{u=r1+h
r2{e$ Fn2suchthat!(e)=!e{v=mG+s
r2+e{Returnc=(u;v)Decrypt(sk=(x;y);c=(u;v)):{a=v�u
y{b=(R:Decode(a0);R:Decode(a1);:::;R:Decode(an1�1)){m=B:Decode(b){Returnm Figure1.DescriptionofHQC.PKE[1].3.CorrelationbetweendecodingtimeanderrorweightInthissection,weshowthatthereexistsacorrelationbetweentheweightoftheerrortobedecodedandtherunningtimeoftheBCHcodesdecodingalgorithm,assumingBerlekamp'ssimpliedalgorithm[14](seeappendixA)isusedforthesecondstepofdecoding.WenextdescribeanoracledistinguishingBCHcodewordswithouterrorsfromthosewithoneerrorexactlyusingtherunningtimeoftheHQC.Decryptalgorithm(seeFigure1).Berlekamp'ssimpliedalgorithm(seeappendixA)isaniterativealgorithmsolv-ingthesetofequations(1).Itcompletesiniterations.Itstartswith(x)=1.Atiteration,itcomputesaquantityd,calleddiscrepancy,whosevalueis0ifthethequationfromsystem(1)holds

6 .Ifnot,itcorrects(x)suchthatequatio
.Ifnot,itcorrects(x)suchthatequationholds.Theloopinvariantisthatafteriterations,therstequationsofsystem(1)areveried.LookingatthepseudocodefromappendixA,onecanseethat:Foracodewordwithouterror,alldiscrepanciesarezeroandthealgorithmcompleteswithoutcorrections.Foracodewordwithoneerror,therstsyndromeisj1wherej1istheerrorpositionandonecorrectionisneeded.AssumingconstantrunningtimefortheotherstepsofB:Decode(syndromescom-putationandrootssearch)aswellastheotherpartsoftheHQC.Decryptsubrou-tine(multiplicationandrepetitioncodedecoding),onecanbuildtheaforemen-tionedoracle.LetOHQCTimedenoteatimingoraclereturningtherunningtimeofthe 6TIMINGATTACKONHQCANDCOUNTERMEASUREHQC.Decryptalgorithm.Wenowexplainhowtoconstructanoracle,denotedbyOHQC01,returningtheweight(0or1)oftheerrorcorrectedbytheBCHcode,usingOHQCTime.TheoracleOHQC01takesasinputanHQCpublickeypk(whichimplicitelydenesaBCHcodeB)andaciphertextc=(u;v).TheoraclefeaturesaninitializationstepInit(seeAlgorithm1)andanevaluationstepEval(seeAlgorithm2).TheInitstepcomputestheexpectedrunningtimesT0andT1whentheBCHcodecorrects0and1errorrespectively.ToobtainthesetimesT0andT1,theproperrequestshavetobesubmittedtoOHQCTime.Inordertoconstructthem,onehastoaccountfortheadditionnallayersofmultiplicationandRdecodingsontopofBCHdecoding.Therepetitioncodelayerseesitsinputa,oflengthn=n1n2,asn1blocksofn2bits:a=(a0;a1;:::;an1�1)ai2Fn22Eachblockaigivesabitbioftheoutputvectorb(fedtotheBCHdecoder)wherebi=1iftheblockcontainsamajorityof1andbi=0otherwise.TocomputeT0andT1wesimplyquerythetimingoracleOHQCTimeandmeasureitsresponsetimewithu=0nandv=0ntogetanestimationofT0andu=0nandv=(1n20n�n2)togetanestimationofT1asb=(10n1�1).AsdescribedinAlgorithm1,forT1wemakeasampleofprequestsandretaintheirmeanastheestimate.Thecomplexityofthisinitializationstepisthatof1+pdecodingswhichwillbenegligiblewithrespecttotherestoftheattack.TheEvalsteptakesawordcasinputandguesseswhetherornottheBCHcodecorrectsanerrorduringtheHQCdecryptionofc.

7 Tothisend,itcallsOHQCTime(pk;c),yielding
Tothisend,itcallsOHQCTime(pk;c),yieldingtherunningtimet,andoutputstheerrorweightisuchthatjt�Tijisminimal.ThecomplexityofaOHQC01request(i.e.anEvalstep)isequaltothecomplexityofanHQCdecryption,namelyO(np n)operationsinFqm(undertheassumption=O(p n)asisthecaseinHQC,seesection4.2). Algorithm1:InitstepofOHQC01 Input:ApublickeypkAprecisionparameterpOutput:Acouple(T0;T1)ofexpectedrunningtimesT0 �OHQCTime(pk;02n)T1 �0fori2(0;1;:::;p�1)do b$ ��f1;2;:::;n1gc �(0(b�1)n21n20n�bn2)T1 �T1+OHQCTime(pk;c) T1 �T1=preturn(T0;T1) TIMINGATTACKONHQCANDCOUNTERMEASURE7 Algorithm2:EvalstepofOHQC01 Input:ApublickeypkandaciphertextcExpectedrunningtimesT0andT1Output:Theerrorweight0or1thattheBCHcodeBcorrectedduringHQC.Decrypt(sk;c)t �OHQCTime(pk;c)returnisuchthatjt�Tijisminimal 4.PracticabletimingattackagainstHQCInthissection,wepresentaside-channelchosenciphertextattackagainstHQC.Thisattackisarealthreatasithasapolynomialcomplexityandrequiresarea-sonableamountofrequests.Itproceedsbyiterationsuntilthekeyyisrecovered.Werstgiveabriefoverviewoftheattackinsection4.1.Wefollowbydescrib-ingitsrsttwoiterationsinsections4.2and4.3.Finally,weestimateitssuccessprobabilityinsection4.4anddiscusstheattackcomplexityandbandwidthcostinsection4.5.4.1.Attackoverview.ThekeyyhasaHammingweightof!,meaningitcontains!bits1andn�!bits0.Theobjectiveoftheattackistorecoverthesupportofy,i.e.(thepositionsof)all1's.Considersecretkeyyasn1blocksofn2bits.AfterinitializingtheoracleOHQC01,theattackproceedsbyiterations.Atiterationi,theattacksearchesblockbyblock,ndingoutall1'sfromeachblockcontainingexactlyi.Thisisdonebyqueryingtheoraclewithappropriaterequests.Forallrequests,thevectoruischosenasu=u:=(10n�1)suchthatu
y=yanda=vy.Theinputaisn'tfeddirectlytotheBCHcodedecoderbutneedstogothroughtherepetitioncodedecoderrst.Soonewantstopickvsuchthatvyestablishesamajorityof1'sintheblockthatvalonewouldn'thave.Thisnaturallyleadsustoconsidervectorsvhavinga1inbn2 2cpos

8 itionsofablockvi.Doingso,eitherbloc
itionsofablockvi.Doingso,eitherblockyihasa1inoneoftheremainingpositionswhichleads(vy)itohaveamajorityof1's,andtheoraclereturns1;orblockyihasno1'sintheremainingpositions,(vy)ihasnomajorityof1's,andtheoraclereturns0.Eitherwaytheoracleresponseleaksinformationonblockyi'scontent.Neverthe-less,thisstrategydoesnotalwaysworkasycanhavemultiple1'sperblock.Whenitdoes,these1'scouldcancelthosewesetinvandbreakourmajority,preventingustogaininformation.Thiscomplexiesourtaskandisthereasonwhywesplittheattackindierentiterations,eachdesignedtosearchwithiny'sblocksforacertainnumberof1's.Forthesakeofclarityandsimplicity,weonlydescribethersttwoiterations.4.2.Firstiteration.Duringtherstiteration,weaimtorecoverall1'sofyaloneintheirblock.Let'sconsiderthe(i+1)-thblockyiofy(0in1�1)andvithe 8TIMINGATTACKONHQCANDCOUNTERMEASUREcorrespondingblockofv.Inordertodeterminethepositionofaneventuallone1inyi,westartqueryingtheoraclewith(u;v)suchthat:vj=0n2ifj6=ivi=(1bn2 2c0dn2 2e)Iftheoracleresponseis1,itmeansBcorrectedanerror,thusyihasa1inoneofitslastdn2 2epositions.Proceedingbydichotomy,wecanthensubmittotheoraclethequery(u;v)with:vj=0n2ifj6=ivi=(0dn2 2e 21bn2 2c0dn2 2e 2)Forexample,ifn2=31,ourrstrequestwouldbewithvi=(115016).Assumingaresponse1wewouldidentifya1inoneofthelast16positionsandfollowwithasecondrequestwherevi=(0811508),reducingbyhalfthesetofremainingcandidatesforthepositionofthe1.Thisallowsustopinpointthepositioninblog2n2c+1requests.Ifwegetaresponse0toourrstrequest,thesameamountofrequestsisenoughtoeitherndthepositionofthelone1orknowtherearen'tany.However,sincetherearemanymoreblockswithout1thanblockswithany,onecanreducethenumberofrequests.Insteadthesecondrequestis(u;v)with:vj=0n2ifj6=ivi=(0dn2 2e1bn2 2c)Thisway,iftheoraclereturns0,onecanimmediatelydismisstheblockwiththissecondrequestasitdoesnothaveexactlyone1.Thisimpliestoperformanextrarequestifitturnsoutthere'sa1tondbutsavesu

9 sblog2n2c�1requestsmostofthetime.Sinc
sblog2n2c�1requestsmostofthetime.Sincethereareatotalofn1blocks,andthatyhasatmost!blockscontainingasingle1,therstiterationrequiresatmost2(n1�!)+!(blog2n2c+1)requests.Let'sexaminethecomplexityofthisiteration.Arequestamountsto:thecomputationofv�u
y.Theproductcomplexityis2!n+(!�1)n(rotating!arraysofsizenandsummingtheresultingvectors).Withthenaladdition,thisiteration'scomplexityis3!n.n1R-decodingsofcomplexityn1((n2�1)+1)=n(foreachofthen1blocks,itsn2bitsaresummedandacomparisonisdone).aB-decodingofcomplexityO(n21)undertheHQChypothesis=O(p n).Undertheassumption!=O(p n),wegetarequestcomplexityofO(np n)andanoverallcomplexityinO(n5 2)fortherstiteration.Theprobabilitythattheattackissuccessfulafterthisrstiterationislowenough(seesection4.4)thatitcallsforaseconditeration.4.3.Seconditeration.Therstiterationoftheattackidentiedall1'saloneintheirblocks.Wenowlookforblocksofycontainingexactlytwo1's.Inordertodoso,weneedtoanalyzewhathappenswhenoneencounterssuchablockduringtherstiteration.Therearetwokindsofsituations:casea:both1'sareinthesamehalfoftheblock(includingthemiddlepositionifn2isodd).Ifthey'reintheupperhalf,ourrstrequestgetsaresponse1andweendupidentifyingthepositionofthe1closertothemiddleoftheblock.Ifthey'reinthelowerhalf,ourrstrequestgetsa TIMINGATTACKONHQCANDCOUNTERMEASURE9response0butoursecondrequestgetsaresponse1andweagainendupidentifyingthepositionofthe1closertothemiddleoftheblock.caseb:bothhalveshavea1(notethatthecasewheren2isoddandthereisa1inthemiddlewouldhavebeendetectedalready).Inthatcasethersttworequestsreturn0andtheblockisdiscarded.Theseconditerationwillbedividedintwophasestreatingblocksfallingineachcase.Onecanremarkthatthereshouldberoughlythesameamountofblocksfallingineachcase,simplybecauseifonexesapositioninablockandrandomlypicksanotherpositionoftheblock,there'salmostasmanypositionsleftinthesamehalfasintheotherhalf.4.3.1.Phase1.Herethesearchisfocusedonblocksinwhicha1hasalready

10 beenidentied.Clearlythissituationis
beenidentied.Clearlythissituationisverysimilartotherstiteration.Wecanjustignorethe1weknowof,considertheblockisoflengthn2�1andassumeweneedonelesstoachievemajority.Thiscanbedoneusingdichotomyasintherstiterationexcepteachtimewepickbn2 2c�1positionsoutofthesen2�1.Thisphasecanbeperformedecientlyasatmostb! 2cblockshavetobelookedinto.Thismakesamaximumofb! 2c(blog2n2c+2)requests.Underthehypothesis!=O(p n),thisphasecomplexityis:b! 2c(blog2n2c+2)O(np n)=O(n2log2n)4.3.2.Phase2.Nowweturntotheremainingblocks.Wewanttocatchthosecontainingpreciselytwo1's.Let'srecallthatintheeventofsuchablock,ithasa1ineachblockhalf(andnoneinthemiddleifn2isodd).Wecangeneralizethesamestrategyappliedintherstiteration;wecandistinguishiftheblockcontainsornotapairof1'sinfourrequests(u;v)withvj=0ifj6=iand:vi=(1bn2 2c�1 20dn2 2e+1 21bn2 2c�1 20dn2 2e+1 2)vi=(0dn2 2e+1 21bn2 2c�1 20dn2 2e+1 21bn2 2c�1 2)vi=(1bn2 2c�1 20dn2 2e+1 20dn2 2e+1 21bn2 2c�1 2)vi=(0dn2 2e+1 21bn2 2c�1 21bn2 2c�1 20dn2 2e+1 2)Sinceoneknowsthe1'sareindierenthalvesoftheblock,thereareonlyfourdierentpairsofquarterstheycanbein.Eachoftheaforementionedrequeststestsonesuchpair.Therefore,iftheoraclereturns0tothesefourrequests,theblockcontainseitherno1'sormorethantwo.Iftheoracleanswers1tooneoftheserequests,oneretrievestworangesofindices,bothcontaininga1.Thenproceedingbydichotomyforeachrange,onecannarrowitdowntoasingletoninlog2dn2 2e+1 2+1requests.Intheworstcasescenario,wehaveb! 2cblockscontainingtwo1's,noneofwhichhavebeendetectedyet.Thistakes! 24+2log2dn2 2e+1 2+2+4n1�! 2requeststondthemall,fromwhichwederivetheseconditerationcomplexityof:2! 2log2dn2 2e+1 2+1+4n1O(np n)=O(n5 2) 10TIMINGATTACKONHQCANDCOUNT

11 ERMEASURE4.4.Successprobabilityestimatio
ERMEASURE4.4.Successprobabilityestimation.Let'scalculatetheprobabilitiesthatyhasbeenretrievedaftereachiteration.Letthefollowingeventsbefor0ibn1 2c:Ai:\yhasexactlyiblockswithtwo1'sandnoblockwithmore."A:\yhasatmosttwo1'sperblock."TheeventA0canalsobedescribedastheattackbeingsuccessfulaftertherstiteration.Thismeansyhas!blockscontainingasingle1forwhichwehaven2positionstochoosefromandn1�!blockscontainingnone.Therefore:P(A0)=n1!n21!WithHQC-128-1[1]parametersn1=796,n2=31and!=67,onehasP(A0)'0:0625.Onerecover6.25percentofpotentialkeysyaftertherstit-eration.Let'snowcomputetheprobabilityP(A)thattheattackissuccessfulafteratmosttwoiterations.AisthedisjointunionoftheAi:P(A)=bn1=2cXi=0P(Ai)P(A)=n!�1bn1=2cXi=0n1in22in1�i!�2in21!�2iWithn1=796,n2=31and!=67,onendsP(A)'0:9344.93percentofpotentialkeyshavebeenretrievedaftertheseconditeration.Onecouldshowthattheattacksuccessprobabilityafterthreeiterationsisabove99percent.4.5.Attackcomplexityandbandwidthcost.Table1presentstheattackcom-plexityandthenumberofrequiredrequestswithrespecttoHQCparameters.Sincethemultiplicationtakesmostofthedecryptionworkload,wetooktwiceitscom-plexity(i.e.6!n)asanupperboundofarequestcomplexity.WeimplementedtheattacklocallyforHQC-128-1.Table1assumeseachoraclerequestisdoneonce.However,inareallifescenario,dierentrunsofthesamerequestusuallyyieldslightlydierentexecutiontimes.ThisderailstheattackiftherealexecutiontimeisclosertoTithanT1�ibutthemeasuredexecutiontimeisclosertoT1�ithanTifori=0;1.Tomitigatethiseect,wetakethestandardapproachofrepeatingeachrequestseveraltimes,eachtimemeasuringtheexecutiontime,andtakingthemedianofthebatchasexecutiontimeestimate.Thetestswereperformedonamachinewith16GBofmemory,equippedwithanIntelcorei7-7820XCPU@3.60GHzandwithHyper-Threading,TurboBoostandSpeedStepfeaturesdisabled.Onthismachine,repeatingeachrequestninetimes,theattackagainstHQC-128-1takeslessthanaminutetocomplete.W

12 eranathousandattacks.Asexpected,7%ofthem
eranathousandattacks.Asexpected,7%ofthemfailbecausethekeyyhasablockwithatleastthree1's.5%ofthemalsofailbecauseoftheaforementionedrandomnatureofmeasurements.Thiscanbeloweredbyraisingtherepeatcounttotheexpenseofahigherrunningtime.Overall88%ofattackssucceed.5.ConstanttimedecodingofBCHcodesAconstanttimeBCHcodedecodingalgorithmnaturallythwartstheattack.Inthissectionwediscusshowtoconstructsuchanalgorithm.Westartbyprecising TIMINGATTACKONHQCANDCOUNTERMEASURE11 Complexityupperbound Requests 128�1 192�2 256�3 128�1 192�2 256�3 OracleInit(p=1) 225 226 227 2 2 2 Firstiteration 235 236 237 1793 1936 2257 Seconditeration-phase1 231 234 235 198 350 528 Seconditeration-phase2 235 237 238 3448 3564 3844 Total 236 238 239 5441 5852 6631 128-1:128-bitsecurityandaDecodingFailureRate(DFR)lessthan2�64192-2:192-bitsecurityandaDFRlessthan2�96256-3:256-bitsecurityandaDFRlessthan2�128Table1.AttackcomplexityandbandwidthcostagainstHQCtheconstanttimemodelweareconsideringanddiscusshowonecantranformanonconstanttimealgorithmintoaconstanttimeone(section5.1).Wethenapplythesetechniquestoniteeldarithmetic(section5.2),syndromesandrootscomputation(section5.3)andELPcomputation(section5.4).ThisallowsustoprovidetwovariantsofaconstanttimealgorithmtoBCHcodedecoding.Tonish,weprovidetheresultsofourtestsanddiscusswhichvariantshouldbeconsidereddependingonthechosenBCHcodeandthetargetedmaterial(section5.5).5.1.Constanttimeimplementation.Forconstanttimeimplementation,twosecuritymodelsareusuallyconsidered:fullconstanttime,wherethealgorithmrunningtimeisindeedconstant;andtimingattackresistant,wherethealgorithmrunningtimeisindependantofitssecrets(althoughitsrunningtimemayvary).SinceanattackercanforcetheBCHcodedecodertousethesecretyasitsin-put(withciphertext(0n;1n20n�n2)forexample),wehereafterconsiderthefullconstanttimemodel.Therearethreekindsofobstaclestoconstanttimeimplementation:loopswhoseboundisinput-dependant,brancheswhoseconditionisinput-dependantandinput-dependantmemoryaccesses

13 .Naturalxesforeachoftheseobstaclesw
.Naturalxesforeachoftheseobstacleswouldrespec-tivelybe[16]:Topatchloopswhoseconditiondependsuponinputsbysupplyingacon-stantbound(themaximumnumberofiterations)andperformingdummyoperationsoncetheoriginalboundhasbeenreached.Topatchbrancheswhoseconditiondependsuponinputsbyexecutingbothbranchesandusinga agtocontrolwhichbranchiseectivelyexecuted.Topatcharrayaccesseswhoseindexdependsuponinputseitherbyelimi-natingthemorbyensuringthecorrespondingaddressisalreadycached.Dealingwithleakingarrayaccessescanbedoneinseveralways.WaltersandSinhaRoy[16]suggestpatchingeachsuchaccessbyscanningthewholearraytoloaditintothecache.Fornestedarrayaccesses,thisoperationmayinduceahuge 12TIMINGATTACKONHQCANDCOUNTERMEASUREperformancepenalty.Onemayscanthearraylessoften,butitrequiresbeingcarefulaboutaddressesnotbeingevictedfromtheL1cache.Onealsohastobewaryofthecompilerwiththisapproach,ascompilerstendtoidentifythesekindsof\donothing"loopsandoptimizethemout.Wewilldenotetheapproachofscanninganarrayhavingpotentialleakingaccessesonce(andonlyonce)asacache-dependantpatchasitworksonlyifthecacheisbigenoughorifcodeparametersaresmallenough.Notethateveniftheaccessdoesn'tleakanymore,itstill,striclyspeaking,dependsontheinputs.Thesecondapproachisacache-independantpatch,whichconsistsofremovingthearrayaccessentirely.Theideaistorstdeterminetherangeofindicesthatcanpotentiallybeaccessed,thenlooponalltheseindices,eachtimeperformingeitheradummyoperationortherealoneasneeded.Nowrecallfromsection2.1thatBCHcodedecodinghasthreesteps:syndromescomputation,ELPcomputationandrootscomputation.ToprovideaconstanttimeimplementationofBCHcodedecoding,weneedtoachieveconstanttimeforGaloiseldarithmeticaswellasforeachofthesethreesteps.Weproposetwovariants:onewithsomecache-dependantarrayaccessesandonewithoutanycache-dependantarrayaccess.5.2.Constanttimeeldarithmetic.Allthreestepsofdecodingmakeabundantuseofeldoperations(mostlyadditionsandmultiplications)thatneedbeconstanttime.Addition.Foradditionweusecoe

14 ;cient-wisexor.Multiplication.Weproposet
;cient-wisexor.Multiplication.Weproposetwoimplementationsformultiplication:lookuptables.Givenlogandantilogtables(relativetoaprimitiveele-ment2F2m),multiplyingtwoelementsofF2misdonebytakingtheirlogarithms,addingthemmodulo2m�1,andtakingtheantilog.theCLMULinstructionset.Thisisanextensiontothex86instructionsetformicroprocessorsfromIntelandAMD.Thepclmulqdqinstructioncomputesthe128-bitcarry-lessproductoftwo64-bitvalues.Wethenreducemodulotheprimitivepolynomialusingbitwiseoperations.Implementation2isconstanttimebutrequiressupportfortheCLMULinstruc-tionset.NotethatifoneknowsofamoreecientmultiplicationimplementationoriftheCLMULinstructionsetitnotavailable,onecanuseanyothermultiplica-tionimplementationaslongasitisconstanttime.Implementation1isfasterbutnotconstanttimebyitselfbecauseitusesthreeinput-dependantarrayaccesses.However,usingtheaforementionedcache-dependantpatch,thatisscanningbothlogandantilogtablesatthebeginningofdecoding,wemayhaveimplementation1runinconstanttime,dependingoncachesizeandcodeparameters.Thesetwoun-derlyingimplementationsforeldmultiplicationdistinguishourtwoconstanttimeimplementationvariants.Squaring.Forsquaringweusebitwiseoperationswithconstantshiftamounts.Inversion.Forinversionweusefastexponentiation.5.3.Constanttimesyndromescomputationandrootscomputation.Westartwithsteps1and3ofBCHdecoding,i.e.computationofsyndromesandroots. TIMINGATTACKONHQCANDCOUNTERMEASURE13ForbothwebenetfromfastalgorithmsdeveloppedbyBernsteinetal.[6],whobuiltonpreviousworkfromGaoandMateer[10].TheyuseanadditiveFastFourierTransform(FFT)algorithmtocomputethesyndromesanditstransposealgorithmtocomputetheELProots.Boththesealgorithmsareconstanttime.WereferthereadertotheaforementionedpapersformoredetailsontheadditiveFFT.Wedescribeasmalladjustmenttothesealgorithms.AdditiveFFTisarecursivealgorithmwhichcallstwocopiesofitself.Ateachrecursionlevel,someconstants(calledgammasanddeltas)arecomputedusingeldoperations.Bernsteinetal.proposeabitslicedversionofthealgorithm.Sin

15 ceweuseanonbitslicedversionhere,eld
ceweuseanonbitslicedversionhere,eldoperationsaremorecostly.Asaresult,recomputingtheseconstantsismoreexpensivethanaccessingthemfromanarray(evenfactoringsomeL1cachemisses).Therefore,wecomputetheseconstantsonlyonceandstoretheminlookuptablesforoursubsequentneeds.Notethatthearrayaccessestothesetablesarenotsubjecttotimingleaks.5.4.Constanttimeerrorlocatorpolynomialcomputation.HerewestartwithBerlekamp'ssimpliedalgorithm[5,13](seeappendixA).Wethenusethestandardtechniquesdescribedinsection5.1tomakeitconstanttime,optingforthecache-independantapproachwhenweencounterinput-dependantarrayaccesses.Becausepseudocodehidesimplementationdetailsbynaturewhereasconstanttimeisanimplementation-sensitiveproperty,wegiveaconstanttimeCimplementationofBerlekamp'ssimpliedalgorithminappendixB.5.5.Testresults.Thebenchmarksareperformedonamachinewhichhas16GBofmemoryandisequippedwithanIntelcorei7-7820XCPU@3.60GHz.Hyper-Threading,TurboBoostandSpeedStepfeaturesaredisabled.L1datacacheis32kilobytes.WepicksixBCHcodesofvariousparameters.ForeachchosenBCHcode[n;k;],weconducttwotests(oneforeachimplementationofeldmultiplication)asfollows.Wegenerate10000erroneouscodewordswithadistributionoferrorweightsbetween0and1:1whereerrorspositionsarepickedrandomly.Eachcode-wordisdecoded100times.Outofeachbatch,theminimumexecutiontimeistakenasestimateexecutiontimefordecodingthatcodeword.Foreacherrorweightofthedistribution,wealsomonitorminimumandmaximumoftheseminimumrunningtimes.Attheendofthetest,foreachofthetwocodewordsgivingglobalmini-mumormaximum,werunanother100decodingsandtaketheminimumtoconrmwhetherornottheseextremumsarecircumstantial(theserecomputedvaluesdon'tappearonthegraphs).ForthetwoBCHcodes[796;256;60]and[766;256;57]usedinHQC,weusesomeoptimizations.FirstlyweusehardcodedlookuptablesforbothF1024andtheFFTconstants.SecondlyweusealloptimizationssuggestedbyBernsteinetal.[6]regardingtheadditiveFFT,namelypickinganidealbasistoavoidtwisting;dealingwith2-coecentand3-coecientpolynomialsmoree&

16 #14;-cientlyandunrollingboththeFFTandits
#14;-cientlyandunrollingboththeFFTanditstranspose.NotethatthesecodesareshortenedBCHcodes.Becauseitdoesn'tfundamentallyimpactourcase,wewon'tdiscussitherebutwereferthereaderto[1]formoredetails.Animplementationwillbemadeavailableatpqc-hqc.org.Wegivetheresultsintheformofgraphs(seegures2and3).Figure2featuresthedecodingofallsixcodesusinglookuptablesforeldmultiplicationwhereasgure3featuresthesesamecodesusingthepclmulqdqinstructionforeldmul-tiplication.Eachgraphisverticallycenteredaroundthemeanexecutiontime 14TIMINGATTACKONHQCANDCOUNTERMEASUREtmean.Verticalaxesspreadfrom0;95tmeanto1;05tmean,exceptforthelastcode[32767;16412;1315]whereitstretchesfrom0;85tmeanto1;15tmean.Asexpected,ononehand,thesecondimplementionofmultiplicationlooksper-fectlyconstanttime(seegure3).Forallsixcodes,regardlessofnumberoferrors,therelativedierencebetweenanyextremumandthemeandecodingtimealwaysstaysunder1%.Ontheotherhand,therstimplementationappearstobeconstanttimeonlyfortherstthreecodes,thatisifm12,i.e.uptoF4096(seetherstthreegraphsofgure2).Abovethat,therstimplementationrunsintocacheissues.Indeed,ourimplementationusesuint16_ttorepresenteldelements,whichmeanstwobytesperelement.ForF8192,logandantilogtablesrequire228192=32767bytes,whichcompletelylltheL1datacacheof32kilobytesfortheconsideredma-chine.Fromthere,anycomputationwillleadtoaddressesbeingevictedfromthecache,whichinturnwillcausetimingleaks(seethelastthreegraphsofgure2).ForF4096,thelookuptablestakeonlyhalfthememory,whichseemstoleaveenoughforourdecodingneeds.However,forthesmalleldswhereitisconstanttime,therstimplementationhasbetterperformancethanthesecond(seetables3and4).FortheBCHcodesusedinHQC,observeddecodingtimesare30%faster.Soourrecommendationwouldbetousetherstmultiplicationimplementation(lookuptables)forBCHcodesoneldF4096orsmaller,whichisthecaseofHQC,andtousethesecondmultiplicationimplementation(viapclmulqdq)forlargerelds.Weintegratedtheconstantti

17 meBCHdecodingalgorithmintheoptimizedim-p
meBCHdecodingalgorithmintheoptimizedim-plementationofHQCIND-CCA2tomeasuretheperformanceoverhead.WerestrictourmeasurementstothelookuptablesvariantoftheBCHdecoding.Intable2wereportCPUcyclescountsforthedecapsulationstepofHQCacrossthedier-entsecuritylevelswitheithertheoriginalBCHimplementationortheconstanttimevariant.Onecanseethatourconstanttimeimplementationonlyaddsalittleoverheadbetween3.21%and11.06%.Table2.Runningtime(CPUcycles)andoverheadwhenoriginalorconstanttimeBCHdecodingisusedinthedecapsulationstepofHQC HQC.Decaps Overhead OriginalBCH ConstanttimeBCH HQC-128-1 507285 563414 11:06% HQC-192-1 947552 995272 5:05% HQC-192-2 992057 1047054 5:54% HQC-256-1 1490993 1538824 3:21% HQC-256-2 1562207 1616673 3:49% HQC-256-3 1617269 1675195 3:58% TIMINGATTACKONHQCANDCOUNTERMEASURE156.ConclusionInthiswork,wehavehighlightedacorrelationbetweentheweightoftheerrortobedecodedandtherunningtimeofdecodingBCHcodeswhenBerlekamp'ssimpliedalgorithmisstraightforwardlyimplemented.Next,wehavedevisedanecientchosenciphertexttimingattackagainstHQCbasedonthatcorrelation.WethenimplementeditinsoftwareandcarrieditoutagainstdierentsecuritylevelsofHQC.TheattackisveryecientasitrecoversthesecretkeyyoftenenoughinacoupleiterationsanditsoverallcomplexityisO(n5 2).Inordertothwartthisattack,weproposedtwovariantsofaconstant-timedecodingalgorithmforBCHcodes.Furthermore,weintegratedournewconstanttimealgorithminthelatestversionofHQCandshowedthatthiscountermeasureresultsinminimaloverheadperformance.References[1]C.Aguilar-Melchor,N.Aragon,S.Bettaieb,L.Bidoux,O.Blazy,J.-C.Deneuville,P.Gaborit,E.PersichettiandG.Zemor,HammingQuasi-Cyclic(HQC),2017.[2]C.Aguilar-Melchor,N.Aragon,S.Bettaieb,L.Bidoux,O.Blazy,J.-C.Deneuville,P.GaboritandG.Zemor,RankQuasi-Cyclic(RQC),2017.[3]C.Aguilar-Melchor,O.Blazy,J.-C.Deneuville,P.GaboritandG.Zemor,EcientEncryptionfromRandomQuasi-CyclicCodes,IEEETransactionsonInformationTheory,64(2018),3927{3943.[4]S.Bettaieb,L.Bidoux,P.GaboritandE.Marcatel,Prevent

18 ingtimingattacksagainstRQCusingconstantt
ingtimingattacksagainstRQCusingconstanttimedecodingofGabidulincodes,inInternationalConferenceonPost-QuantumCryptography,Springer,(2019),371{386.[5]E.R.Berlekamp,Non-binaryBCHdecoding,Technicalreport,NorthCarolinaStateUniver-sity.Dept.ofStatistics,1966.[6]D.J.Bernstein,T.ChouandPSchwabe,Mcbits:fastconstant-timecode-basedcryptography,InInternationalWorkshoponCryptographicHardwareandEmbeddedSystems,pages250{272.Springer,2013.[7]R.Chandra.BoseandD.K.Ray-Chaudhuri,Onaclassoferrorcorrectingbinarygroupcodes,Informationandcontrol,3(1960),68{79.[8]J.-P.D'Anvers,F.VercauterenandIngridVerbauwhede,OntheimpactofdecryptionfailuresonthesecurityofLWE/LWRbasedschemes,IACRCryptologyePrintArchive,2018:1089,2018.[9]E.M.Gabidulin,Theoryofcodeswithmaximumrankdistance,ProblemyPeredachiInfor-matsii,21(1985),3{16.[10]S.GaoandT.Mateer,Additivefastfouriertransformsoverniteelds,IEEETransactionsonInformationTheory,56(2010),6265{6272.[11]A.Hocquenghem,Codescorrecteursderreurs,Chires,2(1959),147{56.[12]D.Hofheinz,K.HovelmannsandE.Kiltz,AmodularanalysisoftheFujisaki-Okamototrans-formation,inTheoryofCryptographyConference,pages341{371.Springer,2017.[13]L.L.JoinerandJ.J.Komo,DecodingbinaryBCHcodes,InSoutheastcon'95,1995.[14]S.LinandD.J.Costello,inErrorcontrolcoding,PrenticeHallEnglewoodClis(2004).[15]X.Lu,Y.Liu,Z.Zhang,D.Jia,H.Xue,J.He,B.Li,K.Wang,Z.LiuandH.Yang,LAC:PracticalRing-LWEbasedPublic-KeyEncryptionwithByte-LevelModulus,IACRCryptologyePrintArchive,2018:1009,2018.[16]M.WaltersandS.SinhaRoy,Constant-timeBCHError-CorrectingCode,IACRCryptologyePrintArchive,2019:155,2019. 16TIMINGATTACKONHQCANDCOUNTERMEASURETable3.DecodingofsomeBCHcodeswithmultiplicationbytables BCHcode[n;k;] Runningtime(inCPUcycles) LuTSyndromesELPRootsTotal [766;256;57] 034240300892677891873 [796;256;60] 034646333592708695861 [4095;418;501] 8249129182721458991870042711521 [8191;7580;47] 12458727819123216186407616569 [16383;14598;130] 2458507896511660625526301760773 [32767;16412;1315] 503337253125817361393178667

19 722217535 Table4.DecodingofsomeBCHcodesw
722217535 Table4.DecodingofsomeBCHcodeswithmultiplicationbypclmulqdq BCHcode[n;k;] Runningtime(inCPUcycles) LuTSyndromesELPRootsTotal [766;256;57] 0427995073534017128226 [796;256;60] 0435605556234404134157 [4095;418;501] 9699747481745858933211025482880 [8191;7580;47] 13417644301661288311542953739 [16383;14598;130] 260450150141147417711066803352090 [32767;16412;1315] 484200214356714832791151418918996691 TIMINGATTACKONHQCANDCOUNTERMEASURE17 0 10 20 30 40 50 60 88000 90000 92000 94000 96000 DecodingofBCHcode[766;256;57](variant1) maximum mean minimum 0 10 20 30 40 50 60 92000 94000 96000 98000 100000 DecodingofBCHcode[796;256;60](variant1) maximum mean minimum 0 100 200 300 400 500 2600000 2650000 2700000 2750000 2800000 DecodingofBCHcode[4095,418,501](variant1) maximum mean minimum 0 10 20 30 40 50 600000 620000 640000 DecodingofBCHcode[8191;7580;47](variant1) maximum mean minimum 0 20 40 60 80 100 120 140 1700000 1750000 1800000 DecodingofBCHcode[16383;14598;130](variant1) maximum mean minimum 0 200 400 600 800 1;000 1;200 1;400 20000000 22000000 24000000 DecodingofBCHcode[32767;16412;1315](variant1) maximum mean minimum Figure2.Decodingexecutiontimes(inCPUcycles)ofvariousBCHcodesfordierenterrorweightswitheldmutliplicationim-plementedbylookuptables(variant1). 18TIMINGATTACKONHQCANDCOUNTERMEASURE 0 10 20 30 40 50 60 122000 124000 126000 128000 130000 132000 134000 DecodingofBCHcode[766;256;57](variant2) maximum mean minimum 0 10 20 30 40 50 60 128000 130000 132000 134000 136000 138000 140000 DecodingofBCHcode[796;256;60](variant2) maximum mean minimum 0 100 200 300 400 500 5300000 5400000 5500000 5600000 5700000 DecodingofBCHcode[4095,418,501](variant2) maximum mean minimum 0 10 20 30 40 50 920000 940000 960000 980000 1000000 DecodingofBCHcode[8191;7580;47](variant2) maximum mean minimum 0 20 40 60 80 100 120 140 3200000 3300000 3400000 3500000 DecodingofBCHcode[16383;14598;130](variant2) maximum mean minimum 0 200 400 600 800 1;000 1;200 1;400 17000000 18000000

20 19000000 20000000 21000000 DecodingofBCH
19000000 20000000 21000000 DecodingofBCHcode[32767;16412;1315](variant2) maximum mean minimum Figure3.Decodingexecutiontimes(inCPUcycles)ofvariousBCHcodesfordierenterrorweightswitheldmultiplicationim-plementedviapclmulqdqinstruction(variant2). TIMINGATTACKONHQCANDCOUNTERMEASURE19AppendixA.ELPcomputation Algorithm3:SimpliedBerlekampalgorithm[5,13] Input:AlistofsyndromesS1,S2,...,S2Output:Thecorrespondingerrorlocatorpolynomial(X)/*Initializethefollowingarray*/  ()(X) d l 2�l �1 2 1 1 0 �1 0 1 S1 0 0 /*Fillthearray'snextlinesasfollows*/repeat ifd=0then (+1)(X)=()(X)l+1=l ifd6=0then Findanotherline,whered6=0and2�lismaximal(+1)(X)=()(X)+dd�1X2(�)()(X)l+1=max(l;l+2(�)) Computed+1=S2+3+(+1)1S2+2+:::+(+1)l+1S2+3�l+1Incrementandcompute2�luntil=return()(X) 20TIMINGATTACKONHQCANDCOUNTERMEASUREAppendixB.ConstanttimeELPcomputationTheCfunctionbelowcomputestheerrorlocatorpolynomialusingaconstanttimeversionofBerlekamp'ssimpliedalgorithm.Ithasthefollowingfeatures:TheconstantPARAM_DELTAisthecorrectioncapacity�1oftheBCHcode.ElementsofF2marerepresentedbyuint16_taspolynomials(m15).gf_mulistheGaloiseldmultiplication.Ittakestwoelementsandreturnstheirproduct.gf_inversecomputesanelementinverse.Itreturns0forinput0.syndromesisanarrayofsize2*PARAM_DELTAstoringthe2syndromes.sigmaisanarrayofsizePARAM_DELTA+1thatwillreceivethe+1coef-cientsoftheELP.Thefunctionreturnsthedegreeof(X)(anditscoecientsinthearraysigma).ThearrayX_sigma_prepresentsthepolynomialX2(�)(X).Insteadofmaintainingalistof(i)(X),weupdateinplaceboth(X)(arraysigma)andthecorrectivetermX2(�)(X)(

21 arrayX_sigma_p).Wedon'tcareabout
arrayX_sigma_p).Wedon'tcareabout(X)ifitsdegreeexceedsPARAM_DELTA[13].Sowedon'tcareaboutX_sigma_pifitsdegreeexceedsPARAM_DELTAeither.sigma_copyservesasatemporarysaveofsigmaincaseweneedittoupdateX_sigma_p.WeonlyneedtosavetherstPARAM_DELTA�1coecientsofsigma. size tcompute elp(uint16 tsigma,constuint16 tsyndromes)fmemset(sigma,0,2(PARAM DELTA+1));sigma[0]=1;size tdeg sigma=0;size tdeg sigma p=0;uint16 tsigma copy[PARAM DELTA�1]=f0g;size tdeg sigma copy=0;uint16 tX sigma p[PARAM DELTA+1]=f0,1g;intpp=�1;//2rhouint16 td p=1;uint16 td=syndromes[0];for(size tmu=0;muPARAM DELTA;++mu)f//SavesigmaincaseweneedittoupdateX sigma pmemcpy(sigma copy,sigma,2(PARAM DELTA�1));deg sigma copy=deg sigma;uint16 tdd=gf mul(d,gf inverse(d p));//0if(d==0)for(size ti=1;(i=2mu+1)&&(i=PARAM DELTA);++i)sigma[i]^=gf mul(dd,X sigma p[i]);size tdeg X=2mu�pp;//2(mu�rho)size tdeg X sigma p=deg X+deg sigma p;//mask1=0xffffif(d!=0)and0otherwiseint16 tmask1=�((uint16 t)�d��15); TIMINGATTACKONHQCANDCOUNTERMEASURE21//mask2=0xffffif(deg X sigma p�deg sigma)and0otherwiseint16 tmask2=�((uint16 t)(deg sigma�deg X sigma p)��15);//mask12=0xffffifthedeg sigmaincreasedand0otherwiseint16 tmask12=mask1&mask2;deg sigma=(mask12° X sigma p)^(~mask12° sigma);if(mu==PARAM DELTA�1)break;//Updatepp,d pandX sigma pifneededpp=(mask12&(2mu))^(~mask12&pp);d p=(mask12&d)^(~mask12&d p);for(size ti=PARAM DELTA�1;i;��i)X sigma p[i+1]=(mask12&sigma copy[i�1])^(~mask12&X sigma p[i�1]);X sigma p[1]=0;X sigma p[0]=0;deg sigma p=(mask12° sigma copy)^(~mask12° sigma p);//Computethenextdiscrepancyd=syndromes[2mu+2];for(size ti=1;(i=2mu+1)&&(i=PARAM DELTA);++i)d^=gf mul(sigma[i],syndromes[2mu+2�i]);greturndeg sigma;g Emailaddress:kyzdra@yahoo.frEmailaddress:slim.bettaieb@worldline.comEmailaddress:loic.bidoux@worldline.comEmailaddress:gaborit@unilim.frEmailaddress:etienne.marcatel@