Secret and shared keys recovery on hamming quasi-cyclic with SASCA

IF 1.4 2区数学 Q3 COMPUTER SCIENCE, THEORY & METHODS

Designs, Codes and Cryptography Pub Date : 2025-02-12 DOI:10.1007/s10623-025-01575-2

Chloé Baïsse, Antoine Moran, Guillaume Goy, Julien Maillard, Nicolas Aragon, Philippe Gaborit, Maxime Lecomte, Antoine Loiseau

{"title":"Secret and shared keys recovery on hamming quasi-cyclic with SASCA","authors":"Chloé Baïsse, Antoine Moran, Guillaume Goy, Julien Maillard, Nicolas Aragon, Philippe Gaborit, Maxime Lecomte, Antoine Loiseau","doi":"10.1007/s10623-025-01575-2","DOIUrl":null,"url":null,"abstract":"<p>Soft Analytical Side Channel Attacks (SASCA) are a powerful family of Side Channel Attacks (SCA) that allows the recovery of secret values with only a small number of traces. Their effectiveness lies in the Belief Propagation (BP) algorithm, which enables efficient computation of the marginal distributions of intermediate values. Post-quantum schemes such as Kyber, and more recently, Hamming Quasi-Cyclic (HQC), have been targets of SASCA. Previous SASCA on HQC focused on Reed–Solomon (RS) codes and successfully retrieved the shared key with a high success rate for high noise levels using a single trace. In this work, we present new SASCA on HQC, where both the shared key and the secret key are targeted. Our attacks are realized on simulations. Unlike the previous SASCA, we take a closer look at the Reed–Muller (RM) code. The advantage of this choice is that the RM decoder is applied before the RS decoder, enabling attacks targeting both the secret key and shared key. We build a factor graph of the Fast Hadamard Transform (FHT) function from the HQC reference implementation of April 2023. The information recovered from BP allows us to retrieve the shared key with a single trace. In addition to the previous SASCA targeting HQC, we also manage to recover the secret key with two different chosen ciphertext attacks. One of them requires a single trace and is successful until high noise levels.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"18 1","pages":""},"PeriodicalIF":1.4000,"publicationDate":"2025-02-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Designs, Codes and Cryptography","FirstCategoryId":"100","ListUrlMain":"https://doi.org/10.1007/s10623-025-01575-2","RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

Soft Analytical Side Channel Attacks (SASCA) are a powerful family of Side Channel Attacks (SCA) that allows the recovery of secret values with only a small number of traces. Their effectiveness lies in the Belief Propagation (BP) algorithm, which enables efficient computation of the marginal distributions of intermediate values. Post-quantum schemes such as Kyber, and more recently, Hamming Quasi-Cyclic (HQC), have been targets of SASCA. Previous SASCA on HQC focused on Reed–Solomon (RS) codes and successfully retrieved the shared key with a high success rate for high noise levels using a single trace. In this work, we present new SASCA on HQC, where both the shared key and the secret key are targeted. Our attacks are realized on simulations. Unlike the previous SASCA, we take a closer look at the Reed–Muller (RM) code. The advantage of this choice is that the RM decoder is applied before the RS decoder, enabling attacks targeting both the secret key and shared key. We build a factor graph of the Fast Hadamard Transform (FHT) function from the HQC reference implementation of April 2023. The information recovered from BP allows us to retrieve the shared key with a single trace. In addition to the previous SASCA targeting HQC, we also manage to recover the secret key with two different chosen ciphertext attacks. One of them requires a single trace and is successful until high noise levels.

查看原文本刊更多论文

基于SASCA的hamming拟环上的密钥和共享密钥恢复

软分析侧通道攻击（SASCA）是一个强大的侧通道攻击（SCA）家族，它允许仅使用少量跟踪恢复秘密值。它们的有效性在于信念传播（BP）算法，该算法能够高效地计算中间值的边际分布。后量子方案，如Kyber，以及最近的Hamming准循环（HQC），都是SASCA的目标。以前HQC上的SASCA集中在里德-所罗门（RS）代码上，并成功地在高噪声水平下使用单个迹线以高成功率检索共享密钥。在这项工作中，我们提出了HQC上的新SASCA，其中共享密钥和秘密密钥都是目标。我们的攻击是在模拟中实现的。与之前的SASCA不同，我们将仔细研究Reed-Muller （RM）代码。这种选择的优点是RM解码器在RS解码器之前应用，从而允许针对秘密密钥和共享密钥的攻击。我们从2023年4月的HQC参考实现中构建了快速哈达玛变换（FHT）函数的因子图。从BP中恢复的信息使我们能够通过单一跟踪检索共享密钥。除了先前针对HQC的SASCA之外，我们还设法使用两种不同的选择密文攻击来恢复密钥。其中一种方法需要单迹，并且在高噪声水平之前是成功的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Designs, Codes and Cryptography 工程技术-计算机：理论方法

CiteScore

2.80

自引率

12.50%

发文量

157

审稿时长

16.5 months

期刊介绍： Designs, Codes and Cryptography is an archival peer-reviewed technical journal publishing original research papers in the designated areas. There is a great deal of activity in design theory, coding theory and cryptography, including a substantial amount of research which brings together more than one of the subjects. While many journals exist for each of the individual areas, few encourage the interaction of the disciplines. The journal was founded to meet the needs of mathematicians, engineers and computer scientists working in these areas, whose interests extend beyond the bounds of any one of the individual disciplines. The journal provides a forum for high quality research in its three areas, with papers touching more than one of the areas especially welcome. The journal also considers high quality submissions in the closely related areas of finite fields and finite geometries, which provide important tools for both the construction and the actual application of designs, codes and cryptographic systems. In particular, it includes (mostly theoretical) papers on computational aspects of finite fields. It also considers topics in sequence design, which frequently admit equivalent formulations in the journal’s main areas. Designs, Codes and Cryptography is mathematically oriented, emphasizing the algebraic and geometric aspects of the areas it covers. The journal considers high quality papers of both a theoretical and a practical nature, provided they contain a substantial amount of mathematics.