Falko Strenzke

Side Channels in the McEliece PKC

The McEliece public key cryptosystem (PKC) is regarded as secure in the presence of quantum computers because no efficient quantum algorithm is known for the underlying problems, which this cryptosystem is built upon. As we show in this paper, a straightforward implementation of this system may feature several side channels. Specifically, we present a Timing Attack which was executed successfully against a software implementation of the McEliece PKC. Furthermore, the critical system components for key generation and decryption are inspected to identify channels enabling power and cache attacks. Implementation aspects are proposed as countermeasures to face these attacks.

A timing attack against patterson algorithm in the McEliece PKC

The security of McEliece public-key cryptosystem is based on the difficulty of the decoding problem which is NP-hard. In this paper we propose a timing attack on the Patterson Algorithm, which is used for efficient decoding in Goppa codes. The attack is based on the relation between the error vector weight and the iteration number of the extended Euclidean algorithm used in Patterson Algorithm. This attack enables the extraction of the secret error vector with minimal overhead. A countermeasure is proposed and verified for a FPGA implementation.

A timing attack against the secret permutation in the mceliece PKC

In this work we present a novel timing attack against the McEliece public key cryptosystem (PKC). In contrast to former works investigating timing attacks that aim at recovering the message, we devise how to exploit a vulnerability in the Patterson algorithm that allows the attacker to gather information about the secret permutation through a timing side channel. This information can be used to dramatically reduce the cost of a brute force attack against the secret key. We also describe the results obtained from a proof of concept implementation of the attack and give an appropriate countermeasure.

A smart card implementation of the mceliece PKC

In this paper we present a smart card implementation of the quantum computer resistant McEliece Public Key Cryptosystem (PKC) on an Infineon SLE76 chip. We describe the main features of the implementation which focuses on performance optimization. We give the resource demands and timings for two sets of security parameters, the higher one being in the secure domain. The timings suggest the usability of the implementation for certain real world applications.

A simple power analysis attack on a McEliece cryptoprocessor

The security of McEliece public-key cryptosystem is based on the difficulty of the decoding problem which is NP-hard. In this article, we propose a simple power analysis attack on this cryptosystem. The attack exploits an information leakage, which results from the relation between the error vector weight and the iteration number of the extended Euclidean algorithm used in Patterson Algorithm. Executing the proposed attacks enables the extraction of the secret error vector, and thus the plain text with minimal overhead. A countermeasure is presented which removes the information leakage and prevents the simple power analysis attack. The attack procedure and the countermeasure are applied to a cryptoprocessor implementation of the McEliece cryptosystem running on a FPGA platform.

Timing Attacks against the Syndrome Inversion in Code-Based Cryptosystems

In this work we present the first practical key-aimed timing attack against code-based cryptosystems. It arises from vulnerabilities that are present in the inversion of the error syndrome through the Extended Euclidean Algorithm that is part of the decryption operation of these schemes. Three types of timing vulnerabilities are combined to a successful attack. Each is used to gain information about the secret support, which is part of code-based decryption keys: The first allows recovery of the zero-element, the second is a refinement of a previously described vulnerability yielding linear equations, and the third enables to retrieve cubic equations.

Message-aimed side channel and fault attacks against public key cryptosystems with homomorphic properties

In this work, we introduce a new timing vulnerability in the decryption operation of the McEliece cryptosystem. Furthermore, we review previously known side channel and fault attacks against the RSA and McEliece cryptosystems and analyze them with respect to their differences and similarities concerning the respective points of attack. We show that it is basically the homomorphic properties of these schemes that allow the special type of message-aimed attacks based on observing the decryption of manipulated versions of the respective ciphertext and derive an according methodology for the analysis of such schemes with respect to these attacks. Consequently, we present new side channel attacks against other public key cryptosystems with homomorphic properties and point out certain aspects that are special to the countermeasures against this type of attack.

Fast and Secure Root Finding for Code-Based Cryptosystems

In this work we analyze five previously published respectively trivial approaches and two new hybrid variants for the task of finding the roots of the error locator polynomial during the decryption operation of code-based encryption schemes. We compare the performance of these algorithms and show that optimizations concerning finite field element representations play a key role for the speed of software implementations. Furthermore, we point out a number of timing attack vulnerabilities that can arise in root-finding algorithms, some aimed at recovering the message, others at the secret support. We give experimental results of software implementations showing that manifestations of these vulnerabilities are present in straightforward implementations of most of the root-finding variants presented in this work. As a result, we find that one of the variants provides security with respect to all vulnerabilities as well as competitive computation time for code parameters that minimize the public key size.

An efficient mobile PACE implementation

Many future electronic identity cards will be equipped with a contact-less interface. Analysts expect that a significant proportion of future mobile phones support Near Field Communication (NFC) technology. Thus, it is a reasonable approach to use the cell phone as mobile smart card terminal, which in particular supports the Password Authenticated Connection Establishment (PACE) protocol to ensure user consent and to protect the wireless interface between the mobile phone and the smart card. While there are efficient PACE implementations for smart cards, there does not seem to be an efficient and platform independent solution for mobile terminals. Therefore we provide a new implementation using the Java Micro Edition (Java ME), which is supported by almost all modern mobile phones. However, the benchmarks of our first, straightforward PACE implementation on an NFC-enabled mobile phone have shown that improvement is needed. In order to reach a user friendly performance we implemented an optimized version, which, as of now, is restricted to optimizations which can be realized using features of existing Java ME libraries. In the work at hand we present a review of the relevant algorithms and provide benchmarks of the corresponding arithmetic functions in different Java ME libraries. We discuss the different optimization approaches, introduce our optimized PACE implementation, and provide timings for a desktop PC and a mobile phone in comparison to the straightforward version. Finally, we investigate potential side channel attacks on the optimized implementation.

Manger's attack revisited

In this work we examine a number of different open source implementations of the RSA Optimal Asymmetric Encryption Padding (OAEP) and generally RSA with respect to the message-aimed timing attack introduced by James Manger in CRYPTO 2001. We show the shortcomings concerning the countermeasures in two libraries for personal computers, and address potential flaws in previously proposed countermeasures. Furthermore, we point out a new source of timing differences that has not been addressed previously. We also investigate a new class of related problems in the multi-precision integer arithmetic that in principle allows a variant of Mangers attack to be launched against RSA implementations on 8-bit and possibly 16-bit platforms.