CryptoDB
Full Key-Recovery Cubic-Time Template Attack on Classic McEliece Decapsulation
Authors: | |
---|---|
Download: | |
Abstract: | Classic McEliece is one of the three code-based candidates in the fourth round of the NIST post-quantum cryptography standardization process in the Key Encapsulation Mechanism category. As such, its decapsulation algorithm is used to recover the session key associated with a ciphertext using the private key. In this article, we propose a new side-channel attack on the syndrome computation in the decapsulation algorithm that recovers the private key, which consists of the private Goppa polynomial g and the permuted support L. The attack relies on both practical aspects and theoretical contributions, namely that the side-channel distinguisher can accurately discriminate elements of the permuted support L, while relying only on a standard noisy Hamming weight leakage assumption and that there exists a cubic-time algorithm that uses this information to recover the private Goppa polynomial g. Compared with previous work targeting the Classic McEliece private key, this drastically improves both on the assumptions made in the attacker model and on the overall efficiency of the key-recovery algorithm. We have carried out the attack in practice on a microcontroller target running the reference implementation of Classic McEliece, and make the full attack source code available. |
BibTeX
@article{tches-2024-34875, title={Full Key-Recovery Cubic-Time Template Attack on Classic McEliece Decapsulation}, journal={IACR Transactions on Cryptographic Hardware and Embedded Systems}, publisher={Ruhr-Universität Bochum}, volume={2025}, pages={367-391}, url={https://tches.iacr.org/index.php/TCHES/article/view/11933}, doi={10.46586/tches.v2025.i1.367-391}, author={Vlad-Florin Drăgoi and Brice Colombier and Nicolas Vallet and Pierre-Louis Cayrel and Vincent Grosso}, year=2024 }