International Association
for Cryptologic Research

In this article, we provide the first side-channel attack on the Berlekamp- Massey (BM) algorithm, which is the decoder used in the decryption process of the Classic McEliece KEM. We conduct a chosen plaintext key recovery attack that exploits the power consumption of the BM, which is highly dependent on the secret Goppa support elements. We exploit the relation between plaintexts of small Hamming weight, secret elements in the Goppa support and power traces using an efficient Template Attack. Our method completely recovers the secret Goppa support for the first parameter set of the Classic McEliece KEM using a single attack trace per secret coefficient. The entire support can be recovered in less than 7 seconds on a standard computer. Our experiments are performed using the ChipWhisperer-Lite board platform with the ARM Cortex-M4 microcontroller.