Single Trace Analysis against HyMES by Exploitation of Joint Distributions of Leakages

Abstract

Beginning with the proposal of the McEliece cryptosystem in 1978, code-based cryptography has positioned itself as one of main categories in post-quantum cryptography (PQC). To date, the algebraic security of certain variants of McEliece cryptosystems has been challenged many times, although some of the variants have remained secure. However, recent studies on code-based cryptography have focused on the side-channel resistance since previous studies have indicated that the existing algorithms were vulnerable to side-channel analysis. In this paper, we propose the first side-channel attack on the Hybrid McEliece Scheme (HyMES) using only a single power consumption trace. HyMES is a variant of the McEliece system that provides smaller keys, along with faster encryption and decryption speed. By exploiting joint distributions of nonlinear functions in the decryption process, we were able to recover the private key of HyMES. To the best of our knowledge, this is the first work proposing a side-channel analysis based on a joint distribution of the leakages on the public-key system.

1. Introduction

Currently, main public-key cryptosystems in use (such as Rivest–Shamir–Adleman (RSA) and elliptic-curve cryptography (ECC)) are based on the difficulty of number theoretic problems. For example, RSA is based on the difficulty of factoring large numbers, while ECC is based on the difficulty of solving discrete logarithm problems on elliptic curves. However, when a quantum computer is put into practical use running the Shor algorithm, these problems can be solved in polynomial time, thus making the RSA and ECC insecure [1]. Studies on post-quantum cryptography have been actively conducted worldwide in attempts to solve this problem. Post-quantum cryptography involves a cryptographic algorithm that runs on a classical computer, and it is believed to be immune to quantum attacks. There are several categories of post-quantum cryptography: multivariate-based, lattice-based, code-based, isogeny-based cryptography, and hash-based digital signature algorithms. Multivariate cryptography is based on the difficulty of solving multivariate equation systems. Lattice-based cryptography is based on the difficulty of solving several lattice problems. Code-based cryptography is based on the difficulty of decoding general linear codes. Isogeny-based cryptography is based on the hardness of finding isogeny between elliptic curves. Finally, hash-based digital signature algorithms are based on the security of cryptographic hash functions. Among these categories, code-based cryptography has been researched the most due to its fast encryption and decryption speeds [2]. Additionally, code-based cryptosystems account for the second-most submitted categories to the National Institute of Standards and Technology (NIST) standardization project [3].

The first code-based cryptosystem was the McEliece cryptosystem, which was proposed by Robert McEliece in 1978 [4]. The McEliece cryptosystem was cryptographic scheme to use randomization in the encryption process. Since the main building block in implementing a McEliece cryptosystem is matrix multiplication, it provides faster encryption and decryption speeds than RSA [2]. However, one disadvantage of code-based cryptosystems is the key size involved in such systems. For example, the public key size of McEliece base on the Goppa code is about 437KB for 80-bit security [5]. Hybrid McEliece Scheme (HyMES) is a variant of the McEliece system that was proposed by B.Biswas in 2008 [6]. Since the public-key of HyMES uses a generator matrix represented in reduced row echelon form, it has a smaller key size than the classical McEliece. For 80-bit security, the public-key size of HyMES is 63KB, and it also provides faster speed than the classical McEliece [5].

Although the McEliece cryptosystem is theoretically secure, there could be certain vulnerabilities when implementing such a system [7,8,9]. For example, the side-channel analysis proposed by Kocher et al. is an attack based on information gained from the implementation rather than from the algorithm itself [10,11]. During the execution of an algorithm, additional information, such as time, power consumption, and electromagnetic information, can be used to reveal a secret key. Since the side-channel attack is now considered as a de facto standard, post-quantum cryptography (PQC) should similarly consider possible side-channel attacks in order to substitute RSA and ECC.

The first proposed side-channel attack on McEliece is the timing attack, which was proposed by Strenzke in 2008 [7]. In Reference [7], they revealed the secret key by exploiting the fact that the time difference information is related to the error bits of the codeword. Since the attack proposed by Strenzke, constant-time implementations have been considered when constructing and implementing code-based cryptosystems [12]. In 2010, Heyse et al. proposed the SPA (Simple Power Analysis) on McEliece [9]. Their attack involved analyzing the power consumption trace obtained during the decoding process. However, due to the structure of the decryption algorithm, the SPA proposed in Reference [9] cannot be applied to HyMES. On the other hand, Y. Linge proposed a side-channel analysis technique with which to identify a secret key by using the probability distribution of the input and the output of a nonlinear function varying with the secret key value [13]. The joint distribution is a probability distribution considering two or more random variables. The side-channel analysis using the joint distribution has only been investigated in the symmetric key cryptography, and several traces have been used.

In this paper, we present our proposed side-channel analysis on HyMES using a single power consumption trace. The main contributions of this paper are as follows.

• We propose the first side-channel analysis on HyMES using the joint distributions of leakages. We target the non-linearity of the pre-computation table in HyMES implementation [6]. By analyzing the leakage that occurs while calculating the parity-check matrix, we are able to recover the Goppa polynomial $g\left(z\right)$ and the support $L_{sec}$, which are the secret keys of HyMES. The proposed method only uses one power consumption trace, and it is the first joint distribution based analysis for public-key cryptography. Moreover, we demonstrate that any other public-key cryptosystem using nonlinear operation can be vulnerable to our attack. The details of our attack are presented in Section 3.
• We present an experimental result validating the efficiency of the proposed attack. We confirm that the proposed method works as expected by using simulated power traces. These simulated traces are collected by adding noise to the Hamming weight model. The attack success rate is 100% up to the noise standard deviation of 1.3. Further, we show that the performance of the proposed attack increase when several traces are used. When 10 traces are used, the attack success rate is 100% up to the noise standard deviation of 2.1.

The remainder of this paper is organized as follows. Section 2 provides background on code-based cryptography and discusses the side-channel attack used for the analysis. Section 3 provides a high-level description of the proposed attack. Section 4 shows the experimental results using the simulation traces. Finally, the conclusion is drawn in Section 5.

2. Related Works

In this section, we describe the backgrounds of concepts to be used throughout this paper. First, we briefly introduce binary Goppa code, which is one of the error correcting codes used in HyMES. We introduce the basic concepts in code-based cryptography and structures of HyMES. Finally, we introduce the side-channel analysis exploiting the joint distributions of leakages, which is the key attack method in the proposed analysis.

2.1. Binary Goppa Code

This paper only discusses basic information about the binary Goppa code over the finite field $F_2$. The Goppa code consists of the Goppa polynomial $g\left(z\right)$ and support $L_{sec}$. The $g\left(z\right)$ and $L_{sec}$ are defined in Definition 3.

Definition 1.

For positive integer $m,t$, Goppa polynomial $g\left(z\right)$ and support L are as follows.

$$g\left(z\right)=\sum _{i=0}^t{g}_i{z}^i\in F_{2^m}\left[z\right]$$

$$L=\{{\mathsf{\alpha }}_0,\dots ,{\mathsf{\alpha }}_{n-1}\}\in F_{2^m}^n,g\left({\mathsf{\alpha }}_j\right)\ne 0,\forall 0\le j\le n-1.$$

The syndrome $S_{\widehat{c}}$ required to decode the Goppa code is denoted in Equation (1). The binary $[n,k,d_c]$-Goppa code is defined as the set of all $\widehat{c}$ that have the syndrome $S_{\widehat{c}}$ at zero in Equation (2). Since the parity check matrix H spans the null space of C, as shown in Definition 2, we can derive H from the syndrome $S_{\widehat{c}}$ as in Equation (3).

Definition 2.

For the Goppa polynomial $g\left(z\right)$ and the support $L=\{{\mathsf{\alpha }}_0,\dots ,{\mathsf{\alpha }}_{n-1}\}$, the syndrome $S_{\widehat{c}}$ is as follows.

$$S_{\widehat{c}}=-\sum _{i=0}^{n-1}\frac{\widehat{c_i}}{g\left({\mathsf{\alpha }}_i\right)}\frac{g\left(z\right)-g\left({\mathsf{\alpha }}_i\right)}{z-{\mathsf{\alpha }}_i}\equiv \sum _{i=0}^{n-1}\frac{\widehat{c_i}}{z-{\mathsf{\alpha }}_i}modg\left(z\right),$$

(1)

$$Goppa(L,g\left(z\right))=\{\widehat{c}\in F_{2^m}^n\mid S_{\widehat{c}}=\sum _{i=0}^{n-1}\frac{\widehat{c_i}}{z-{\mathsf{\alpha }}_i}\equiv 0modg\left(z\right)\},$$

(2)

$$H=\left(\begin{array}{cccc}\frac{g_t}{g\left({\mathsf{\alpha }}_0\right)}& \frac{g_t}{g\left({\mathsf{\alpha }}_1\right)}& \dots & \frac{g_t}{g\left({\mathsf{\alpha }}_{n-1}\right)}\\ \frac{g_t{\mathsf{\alpha }}_0+g_{t-1}}{g\left({\mathsf{\alpha }}_0\right)}& \frac{g_t{\mathsf{\alpha }}_0+g_{t-1}}{g\left({\mathsf{\alpha }}_1\right)}& \dots & \frac{g_t{\mathsf{\alpha }}_0+g_{t-1}}{g\left({\mathsf{\alpha }}_{n-1}\right)}\\ \dots & \dots & & \dots \\ \frac{g_t{\mathsf{\alpha }}_0^{t-1}+\dots +g_2\mathsf{\alpha }+g_1}{g\left({\mathsf{\alpha }}_0\right)}& \frac{g_t{\mathsf{\alpha }}_0^{t-1}+\dots +g_2\mathsf{\alpha }+g_1}{g\left({\mathsf{\alpha }}_1\right)}& \dots & \frac{g_t{\mathsf{\alpha }}_0^{t-1}+\dots +g_2\mathsf{\alpha }+g_1}{g\left({\mathsf{\alpha }}_{n-1}\right)}\end{array}\right).$$

(3)

The H in Equation (3) can be simplified as shown in Equation (4), and the $\widehat{H}$ can be used as the parity check matrix because the determinant of $H_g$ is not 0.

$$H=\left(\begin{array}{cccc}{g}_t& 0& \dots & 0\\ g_{t-1}& g_t& \dots & 0\\ \dots & \dots & & \dots \\ g_1& g_2& \dots & g_t\end{array}\right)\times \left(\begin{array}{cccc}\frac{1}{g\left({\mathsf{\alpha }}_0\right)}& \frac{1}{g\left({\mathsf{\alpha }}_1\right)}& \dots & \frac{1}{g\left({\mathsf{\alpha }}_{n-1}\right)}\\ \frac{{\mathsf{\alpha }}_0}{g\left({\mathsf{\alpha }}_0\right)}& \frac{{\mathsf{\alpha }}_1}{g\left({\mathsf{\alpha }}_1\right)}& \dots & \frac{{\mathsf{\alpha }}_{n-1}}{g\left({\mathsf{\alpha }}_{n-1}\right)}\\ \dots & \dots & & \dots \\ \frac{{\mathsf{\alpha }}_0^{t-1}}{g\left({\mathsf{\alpha }}_0\right)}& \frac{{\mathsf{\alpha }}_1^{t-1}}{g\left({\mathsf{\alpha }}_1\right)}& \dots & \frac{{\mathsf{\alpha }}_{n-1}^{t-1}}{g\left({\mathsf{\alpha }}_{n-1}\right)}\end{array}\right)=H_g\times \widehat{H}.$$

(4)

2.2. Code-Based Cryptography

Error correction codes were first developed in 1947 by Richard Hamming. The technique was developed to enable the reliable delivery of digital data over unreliable communication channels. In this technique, the sender encodes the data using an error-correcting code prior to transmission. The additional information added by the code is used by the receiver to recover the original data. However, decoding is only efficient for linear codes with efficient decoding algorithms. The code-based cryptosystems make use of the fact that decoding the syndrome of a general linear code is known to be NP-hard, while efficient algorithms exist for the decoding of specific linear codes. The Goppa codes are an example of efficient correcting codes that can be turned into a secure coding scheme when the decoding functions are kept secret. Only an attacker in possession of the secret decoding function can remove the secret mapping and recover the plaintext. Before describing the Goppa codes, the definition of binary linear code is presented in Definition 1. The definitions of the generator matrix G and the parity check matrix H are as denoted in Definition 2.

Definition 3.

Binary linear code $[n,k]-C$ is a one-to-one function that takes a k-bit string message and outputs a n-bit string codeword.

Definition 4.

If the row vector space of $k\times n$ matrix G spans C over finite field F and the dimension of row vector space is k, then matrix G is the generator matrix of $[n,k]-C$ over F. For the $(n-k)\times n$ matrix H, if the column vectors of $H^T$ are the basis of the null space of G, H is the parity check matrix of C.

2.2.1. McEliece Cryptosystem

The McEliece cryptosystem was the first code-based public-key cryptosystem proposed by McEliece in 1978 [4]. Although the algorithm states that any error-correcting codes can be used, only McEliece with Goppa codes has resisted cryptanalysis to date [14,15]. In this paper, we define classical McEliece as McEliece with Goppa code. The encryption and decryption processes of McEliece are respectively described in Algorithms 1 and 2. In step 2, the generator matrix G corresponding to the code C is a matrix consisting of the basis sequences necessary for generating C. Therefore, k represents the dimension of code C. G is computed by using Goppa polynomial of degree t, which is the primary part of the public key. Scrambling matrix S and a permutation matrix P need to hide the algebraic structure of G. These are generated randomly and multiplied with G [4]. $HW\left(e\right)$ is the number of 1 when e is expressed in binary.

Algorithm 1 Classical McEliece: Encryption

InputM,Kpub = ($\widehat{G}=SGP,t$)

Output Ciphertext c

1: Represent the message M as k-bit vector m 2: Generate a random n-bit vector e. $HW\left(e\right)\le t$ 3: return $c=m\times \widehat{G}+e$

Algorithm 2 Classical McEliece: Decryption

Inputc,Ksec = ($G,S^{-1},P^{-1}$)

Output Message M

1: Compute the $\widehat{c}=c\times P^{-1}$ 2: Compute the syndrome $S_{\widehat{c}}$ 3: Obtain a k-bit $\widehat{m}=m\times S$ from $S_{\widehat{c}}$ using decoding algorithm $D_{Goppa}\left(\widehat{c}\right)$ 4: Compute the $m=\widehat{m}\times S^{-1}$ 5: Represent the m as a message M 6: return M

2.2.2. HyMES (Hybrid McEliece Scheme)

The HyMES was proposed by B.Biswas and N.Sendrier, who were members of the SECRET team at the INRIA Lab in 2008 [6]. The HyMES is a variant of the McEliece cryptosystem that provides a smaller key size and faster encryption rate than McEliece for the same security level. The key generation algorithm of HyMES is described below.

In step 1 of Algorithm 3, Goppa polynomial is chosen as an irreducible polynomial. In this case, since the minimum distance of the code satisfies $d_c\le 2t+1$, a valid user can correct a maximum of t errors. In step 2, the number of supports n is used as the number of all elements of $GF\left(2^m\right)$, and the supports are selected randomly from 0 to $2^{m-1}$ in order. The public-key size of HyMES is $k\times (n-k)$, which is reduced to $k\times k$ relative to the Classical McEliece whose public-key size is $k\times n$. The encryption and decryption algorithms are denoted in Algorithms 4 and 5, respectively.

Algorithm 3 HyMES: Key Generation

Inputt,n,m

OutputKsec,Kpub

1: Generate a random monic polynomial $g\left(z\right)$ as the Goppa polynomial $g\left(z\right)=z^t+c_{t-1}{z}^{t-1}+\dots +c_{1}z+c_0,$ $deg\left(g\left(z\right)\right)=t,c_i\in GF\left(2^m\right)$ 2: Randomly choose the support $L=\{{\mathsf{\alpha }}_0,\dots ,{\mathsf{\alpha }}_{n-1}\},{\mathsf{\alpha }}_i\in GF\left(2^m\right),g\left({\mathsf{\alpha }}_i\right)\ne 0$ 3: Compute the parity check matrix $\widehat{H}$ 4: Convert the parity check matrix to the systematic form ${\widehat{H}}_{sys}=\widehat{S}\widehat{H}\widehat{P}=(Q^T\mid I_{n-k})$ 5: If the parity check matrix $\widehat{H}$ is not converted to the systematic form $(Q^T\mid I_{n-k})$, go back to step 1 6: Replace support L with $L_{sec}=L\widehat{P}$ using $\widehat{P}$ 7: Compute $G_{sys}=(I_k\mid Q)=SGP$ 8: return $K_{sec}=(g\left(z\right),L_{sec}),K_{pub}=G_{sys}=(I_k\mid Q)$

Algorithm 4 HyMES: Encryption

Input$M,K_{pub}=G_{sys}=(I_k\mid Q)$

Output Ciphertext c

1: Represent the message M as k-bit vector m 2: Generate a random n-bit vector e. $HW\left(e\right)\le t$ 3: Return $c=m\times G_{sys}+e$

Algorithm 5 HyMES: Decryption

Input$c,K_{sec}=(g\left(z\right),L_{sec})$

Output Message M

1: Compute the syndrome $S_c=\left(H\widehat{P}\right)c^T$ 2: Obtain a k-bit $\widehat{m}=m\times S\times G\times P=m{G}_{sys}=m(I_k\mid Q)=(m\mid mQ)$ from $S_c$ using decoding algorithm $D_{Goppa}\left(c\right)$ 3: Obtain m from the top k-bit of $\widehat{m}$. 4: Represent the m as a message M 5: return M

In step 3 of Algorithm 4, it is not necessary to multiply the identity matrix $I_k$ for matrix multiplication with m and $G_{sys}$, so the encryption speed of HyMES is faster than that of the Classical McEliece.

2.3. Side-Channel Analysis by Exploiting Joint Distributions of Leakages

The side-channel analysis is an attack which exploits any weakness that occurs during the execution of a cryptographic algorithm. The first side-channel analysis using power consumption was proposed by Kocher et al. in Reference [11]. Later, S. Chari proposed the template attack in Reference [16], and then K.Schramm proposed a collision attack in Reference [17]. Since then, various side-channel attacks have proposed for various algorithms. Regarding code-based cryptography, Heyse et al. proposed SPA on the decoding process of the Classical McEliece in 2010 [9]. The proposed method used the leakage obtained when multiplying a matrix $P^{-1}$ before calculating the syndrome during decryption. However, since HyMES does not multiply $P^{-1}$ before calculating the syndrome in the decryption process, the method proposed in [9] cannot be used. Therefore, we analyzed HyMES by exploiting the joint distributions of leakages. In this section, we describe in detail the analysis exploiting the joint distributions of leakages.

In 2014, Y. Linge proposed a method of determining the secret key of AES by using the joint distributions [13]. They exploited the joint distributions of the input and output of the S-box, which is a nonlinear function of AES. Since this distribution depends on the key value, an attacker can identify the secret key under the assumption that the value of the plaintext pair is unknown. The attack procedure proposed by Y. Linge is described in Algorithm 6. The function g takes k and a as arguments and outputs b. The function $\varphi$ outputs the input’s Hamming weight. In Reference [13], the function g is selected as the AES S-box. In this example, the attack is described based on the S-box used in the first round SubBytes of AES.

Algorithm 6 Side channel analysis using joint distributions

Input$\left(a_i{b}_i\right),=0,\dots ,M-1$

Outputkey

1: $g:K\times A\to B,N=\left|K\right|,S(g,k),S_d\in \{0,\dots ,n\}\times \{0,\dots ,m\}$ 2: for $k\in K$          ← computation of theoretical joint distributions 3:   $S(g,k)\leftarrow 0$ 4:  for $a\in A$ 5:   $S(g,k)(\varphi \left(a\right),\varphi \left(g(a,k)\right))\leftarrow S(g,k)(\varphi \left(a\right),\varphi \left(g(a,k)\right)+\frac{1}{\left|A\right|}$ 6:  end 7: end 8: $S_d\leftarrow 0$ 9: for $i=0:M-1$           ← computation of estimated joint distribution 10:   $S_d(a_i,b_i)\leftarrow S_d(a_i,b_i)+\frac{1}{M}$ 11: end 12: $key\leftarrow 0$ 13: for $k\in K$          ← compare theoretical distribution and estimated distribution 14:  if $d(S(g,k),S_d)<d(S(g,key),S_d)$ 15:    $key\leftarrow k$ 16:  end 17: end 18: return $key$

First, steps 2–7 of Algorithm 6 are the processes involved in making the theoretical joint distributions table, which uses the Hamming weight values of random variables, plaintext a, and S-box output b. This process is performed for key $k^{\prime }=$ 0–255 with a 1-byte size. The $S(g,k)$ is the theoretical joint distribution table of $\mathsf{\varphi }\left(a\right)$ and $\mathsf{\varphi }\left(b\right)$ when the key is k for function g. The size of $S(g,k)$ is 9 × 9, since the range of possible Hamming weights for a and b is 0-8. Next, steps 9–11 are the processes of constructing the estimated joint distribution table using $(a_i,b_i)$ pairs, which are the estimated Hamming weight values of a and b. Finally, steps 13–18 are the processes for obtaining the similarity between the estimated distribution and the theoretical distribution. The guessed key is the one with the highest similarity to the real key.

In order to construct the estimated joint distribution table, the Hamming weight values of the plaintext a and the output b are estimated from the collected power consumption traces. Although the Hamming weight values should be accurately estimated for the performance of the attack, it is very difficult to accurately guess the Hamming weight values due to the noise signal. In 2017, an improved method was proposed that use a maximum likelihood method that reflects the influence of noise as a probability [18]. An attack using the joint distributions of leakages is possible because the joint distribution depends on the key value, which occurs because the AES S-box is sufficiently non-linear. The attack using the joint distribution has only been investigated in symmetric key cryptography.

3. Single Trace Analysis Against HyMES

In this section, we propose for the first time a side-channel attack on HyMES exploiting the joint distributions of the leakages. First, we present an outline of the proposed attack. Then, we describe the two steps used to recover the secret key $(g\left(z\right),L_{sec})$.

3.1. Outline of the Proposed Attack

Our attack targets the leakage obtained during the computation of $H\widehat{P}$. Note that $H\widehat{P}$ is required for syndrome operation $S_{\widehat{c}}=\left(H\widehat{P}\right)c^T$ in step 1 of Algorithm 5. The implementation of HyMES proposed in Reference [6] includes the process of calculating the column vectors $h_i$ of $H\widehat{P}$ in the key generation algorithm. The implementation precomputes the values $h_i,i=0,\dots ,n-1$ and stores the result as a secret key. Since these values are required to compute the syndrome, they can also be directly calculated in the decryption process if they are not precomputed. Therefore, without loss of generality, we may assume that the $h_i$ is calculated in the same way as described in Algorithm 7.

Algorithm 7 computes the $H\widehat{P}$ using the secret key $L_{sec}$ which is substituted with the permutation matrix $\widehat{P}$. The $h_i$ with length $mt$-bit can be expressed as a polynomial of degree $t-1$ degree polynomial over $GF\left[2^m\right]$, as shown in Equation (5).

$$h_i=h_i[t-1]z^{t-1}+h_i[t-2]z^{t-2}+\dots +h_i\left[0\right].$$

(5)

Algorithm 7 HyMES Implementation: Computation of $H\widehat{P}$ [6]

Input$g\left(z\right)=z^t+g_{t-1}{z}^{t-1}+\dots +g_0,L_{sec}=\{{\alpha }_0,\dots ,{\alpha }_{n-1}\},n=2^m$

Output the column vectors $h_i,i=0,\dots ,n-1\mathrm{of}H\widehat{P}$

1: for $i=0:n-1$ 2:   $h_i[t-1]\leftarrow 1$ 3:  for $j=t-2:0$ 4:    $h_i\left[j\right]\leftarrow g_{j+1}\oplus ({\mathsf{\alpha }}_i\times h_i[j+1])$ 5:  end 6:   $a\leftarrow g_0\oplus ({\mathsf{\alpha }}_i\times h_i\left[0\right])$ 7:  for $j=0:t-1$ 8:    $h_i\left[j\right]\leftarrow h_i\left[j\right]/a$ 9:  end 10: end 11: return $h_i,i=0,\dots ,n-1$

To recover the secret key $(g\left(z\right),L_{sec})$, the proposed attack is divided into two stages. The first stage of the attack identifies the Goppa polynomial $g\left(z\right)$ based on the joint distributions of leakages. The second stage finds the remaining secret key $L_{sec}$ through the horizontal correlation analysis by using $g\left(z\right)$ obtained in the first stage. In Section 3.2 and Section 3.3, we explain how to determine $g\left(z\right)$ and $L_{sec}$, respectively.

3.2. Recovering $g\left(z\right)$

The multiplication and division involved in Algorithm 7 are computed over the field $GF\left(2^m\right)$. In general, the multiplication and division on $GF\left(2^m\right)$ are implemented using the exponentiation-table and the log-table for the purpose of speed efficiency. For the root $\mathsf{\alpha }$ of the primitive polynomial $p\left(x\right)$ that constitutes $GF\left(2^m\right)$, the exponentiation-table takes the positive integer i as input and returns ${\mathsf{\alpha }}^i$. The log-table is constructed to return i by taking the element ${\mathsf{\alpha }}^i$ of $GF\left(2^m\right)$ as an input. In Reference [6], the multiplication and division are computed by addition, subtraction, and modulus operations using the pre-computed log-table and exponentiation-table. Note that using the tables is more efficient than directly computing the exponentiations and logarithm values. The implementations of multiplication and division over $GF\left(2^m\right)$ are as shown in Algorithms 8 and 9, respectively.

Algorithm 8 HyMES implementation: Multiplication over $GF\left(2^m\right)$ [6]

Input$a,b\in GF\left(2^M\right),\exp \left[i\right]={\alpha }^i,\log \left[{\alpha }^i\right]=i,i=0,\dots ,2^m-1mod\left(d\right)=\left(\right(d)\wedge (2^m-1\left)\right)+\left(\right(d)>>m)$

Output the column vectors $a\times b\in GF\left(2^m\right)$

1: if a or $b=0$ 2:  $a\times b\leftarrow 0$ 3: else 4:  $a\times b\leftarrow exp\left[mod\right(log\left[a\right])+log[b\left]\right]$ 5: end 6: return $a\times b$

Algorithm 9 HyMES implementation: Division over $GF\left(2^m\right)$ [6]

Input$a,b\in GF\left(2^M\right),\exp \left[i\right]={\alpha }^i,\log \left[{\alpha }^i\right]=i,i=0,\dots ,2^m-1mod\left(d\right)=\left(\right(d)\wedge (2^m-1\left)\right)+\left(\right(d)>>m)$

Output the column vectors $a/b\in GF\left(2^m\right)$

1: if $a=0$ 2:  $a/b\leftarrow 0$ 3: else 4:  $a/b\leftarrow exp\left[mod\right(log\left[a\right])-log[b\left]\right]$ 5: end 6: return $a/b$

Now that the basic field operations have been explained, we present the method to recover $g\left(z\right)$. To find $g\left(z\right)$, we must find the coefficients $g_{t-1},g_{t-2},\dots ,g_0$ of all the orders of $g\left(z\right)$. In this section, we only explain how to find $g_{t-1}$, since the other coefficients are found with the same methods used for $g_{t-1}$. The full recovery of $g\left(z\right)$ using the joint distributions of leakages is described in Algorithm 10.

Function $l(k,a)$ is a function that returns $log[k\oplus a]$ by taking the elements k and a of $GF\left(2^m\right)$, while function $\mathsf{\varphi }\left(v\right)$ takes v as input and returns the Hamming weight of v. The value of $a_i$ and $b_i$ are the estimated Hamming weights of the input a and output b of the function $l(k,a)$, respectively.

When $j=t-2,t-3$ in the step 3 loop of Algorithm 7, the operation process can be described as follows for $i=0:2^m-1$.

$$h_0[t-2]=g_{t-1}\oplus ({\mathsf{\alpha }}_0\times h_0[t-1])$$

$$h_0[t-3]=g_{t-2}\oplus ({\mathsf{\alpha }}_0\times h_0[t-2])$$

$$h_1[t-2]=g_{t-1}\oplus ({\mathsf{\alpha }}_1\times h_1[t-1])$$

$$h_1[t-3]=g_{t-2}\oplus ({\mathsf{\alpha }}_1\times h_1[t-2])$$

(6)

$$\dots$$

$$h_{2^m-1}[t-2]=g_{t-1}\oplus ({\mathsf{\alpha }}_{2^m-1}\times h_{2^m-1}[t-1])$$

$$h_{2^m-1}[t-3]=g_{t-2}\oplus ({\mathsf{\alpha }}_{2^m-1}\times h_{2^m-1}[t-2]).$$

The multiplication operation ${\mathsf{\alpha }}_i\times h_i[t-2]$ over $GF\left(2^m\right)$ in Equation (6) is performed by using the pre-computation table as shown in Equation (7).

$$exp\left[mod(log\left[{\mathsf{\alpha }}_i\right]+log[g_{t-1}\oplus ({\mathsf{\alpha }}_i\times 1)])\right].$$

(7)

Algorithm 10 Analysis for $g\left(z\right)$

Input Power consumption trace P for HyMES key generation, A table log[], exp[] created with the primitive polynomial p(x)

Output the column vectors $g\left(z\right)=z^t+g_{t-1}{z}^{t-1}+\dots +g_0$

1: $l:K\times A\to B,S(l,g_i^{\prime }),S_d\in \{0,\dots ,m\}\times \{0,\dots ,m\}$ 2: for $j=t-1:1$ 3:  for $g_j^{\prime }=0:2^m-1$ 4:   $S(l,g_j^{\prime })\leftarrow 0$ 5:   for $a=0:2^m-1$ 6:    $S(l,g_j^{\prime })(\varphi \left(a\right),\varphi \left(l(a,g_j^{\prime })\right))\leftarrow S(l,g_j^{\prime })(\varphi \left(a\right),\varphi \left(g(a,g_j^{\prime })\right)+\frac{1}{2^m}$ 7:   end 8:  end 9:  for $i=0:2^m-1$ 10:   Find POI ${\mathsf{\alpha }}_i\times h_i\left[j\right],log\left[h_i[j-1]\right]$ 11:  end 12:  Estimate data Hamming weight using slice method 13:  for $i=0:2^m-1$ 14:   $S_d(a_i,b_i)\leftarrow S_d(a_i,b_i)+\frac{1}{2^m}$ 15:  end 16:  $g_j\leftarrow 0$ 17:  for $g_j^{\prime }=0:2^m-1$ 18:   if $d(S(l,g_j^{\prime }),S_d)<d(S(l,g_j),S_d)$ 19:    $g_j\leftarrow g_j^{\prime }$ 20:   end 21:  end 22: end 23: return $g\left(z\right)=z^t+g_{t-1}{z}^{t-1}+\dots +g_0$

To find $g_{t-1}$, we use $log[g_{t-1}\oplus ({\mathsf{\alpha }}_i\times 1)]$ in the second log table operation of Equation (7). First, we set the Hamming weights of ${\mathsf{\alpha }}_i$ and $log[g_{t-1}\oplus {\mathsf{\alpha }}_i]$ as random variables, and then construct the theoretical joint distribution tables for $2^m$ key candidates $g_{t-1}^{\prime }$. The range of Hamming weights is 0-m since ${\mathsf{\alpha }}_i$ and $log[g_{t-1}\oplus {\mathsf{\alpha }}_i]$ are elements in $GF\left(2^m\right)$. Therefore, the size of the joint distribution table $S(l,g_{t-1})$ is $(m+1)\times (m+1)$. Next, we find the point at which ${\mathsf{\alpha }}_i$ and $log\left[g_{t-1}\right]\oplus {\mathsf{\alpha }}_i$ are processed from the power consumption trace of Algorithm 7. In this paper, the power consumption model follows the Hamming weight model shown in Equation (8), under the assumption that $\mathsf{\alpha }$ and $\mathsf{\beta }$ are the same at all time points.

$$P_v=\mathsf{\alpha }HW\left(v\right)+\mathsf{\beta }+\omega$$

(8)

The estimated joint distribution table can be constructed by guessing the Hamming weight of ${\mathsf{\alpha }}_i$ and $log[g_{t-1}\oplus {\mathsf{\alpha }}_i]$ from the power consumption value $P_{{\mathsf{\alpha }}_i}$ and $P_{log[g_{t-1}\oplus {\mathsf{\alpha }}_i]}$, respectively. The Hamming weight of ${\mathsf{\alpha }}_i$ and $log[g_{t-1}\oplus {\mathsf{\alpha }}_i]$ can be estimated using Linge’s slice method. This slice method uses the correlation between the Hamming weight and the power consumption value. For example, the number of data points with Hamming weight p is about $\frac{M\times C_N^p}{2^N}$ among N-bit data M with uniform distribution. By sorting the power consumption values for the M data in ascending order, it is possible to guess the Hamming weight of the corresponding data. The performance of the slice method increases when the values of the actually used data are uniformly distributed, so it is necessary to use a sufficient amount of data. Finally, when the similarity between the theoretical joint distribution and the estimated joint distribution is compared, $g_{t-1}^{\prime }$ with the highest similarity is selected as the real key $g_{t-1}$. In this paper, we use the Harmonic Mean Distance, Inner Product Distance, and $\chi$-square Pearson Distance as the comparison method of distribution similarity. The definitions of the three similarity comparison methods are the same as Definition 5–7.

Definition 5.

Harmonic Mean Distance (HMD) is as follows.

$$HMD(S(g,k),S_d)=\left\{\begin{array}{cc}1-2\sum _{i=0}^{i=n}\sum _{j=0}^{j=m}\frac{p_{i,j}{f}_{i,j}}{p_{i,j}+f_{i,j}},\hfill & p_{i,j}+f_{i,j}\ne 0\hfill \\ 0,\hfill & p_{i,j}+f_{i,j}=0.\hfill \end{array}\right.$$

(9)

Definition 6.

Inner Product Distance is as follows.

$$IPD(S(g,k),S_d)=1-\sum _{i=0}^{i=n}\sum _{j=0}^{j=m}{p}_{i,j}{f}_{i,j}.$$

(10)

Definition 7.

χ-square Pearson Distance is as follows.

$${\chi }^{2}PD(S(g,k),S_d)=\left\{\begin{array}{cc}\sum _{i=0}^{i=n}\sum _{j=0}^{j=m}\frac{{(p_{i,j}-f_{i,j})}^2}{f_{i,j}},\hfill & f_{i,j}\ne 0\hfill \\ 0,\hfill & f_{i,j}=p_{i,j}\hfill \\ \infty ,\hfill & f_{i,j}=0\ne p_{i,j}.\hfill \end{array}\right.$$

(11)

3.3. Recovering $L_{sec}$

In this section, we explain how to find the remaining secret key $L_{sec}$ using g(z) obtained in Section 3.2. The process of finding $L_{sec}$ is described in Algorithm 11. We explain the process of finding $L_{sec}$ by recovering the first support value ${\mathsf{\alpha }}_0$ as a concrete example. The other support values can be analyzed using the same logic used to find ${\mathsf{\alpha }}_0$. When $i=0$ in Algorithm 7, the operation process can be expressed by Equation (12). To find ${\mathsf{\alpha }}_0$, we perform the horizontal correlation power analysis between the actual power consumption values that occur when values dependent on ${\mathsf{\alpha }}_0$ are processed and the Hamming weights of the values, which are calculated by guessing the value of ${\mathsf{\alpha }}_0$ in Equation (12). The number of equations containing ${\mathsf{\alpha }}_0$ in Equation (12) is $t-1+1+t=2t$. Therefore, the number of data available for the horizontal correlation power analysis is $2t$. Generally, HyMES with 88-bit security uses the parameter $m=11,t=32$. Therefore, 64 data points are available for the horizontal correlation power analysis using these parameters, which is a little data for the actual analysis. This can be resolved by using ${\mathsf{\alpha }}_0$-dependent values. By using all the ${\mathsf{\alpha }}_0$-dependent values used in the multiplication and division operations in steps 2–21 of Algorithm 11, $8t=256$ data can ultimately be used for the analysis. When the correlation coefficients between actual power consumption values and $8t$ power consumption models, which are estimated from 0 to $2^{11}-1$, are obtained, the estimated value with the highest correlation coefficient can be considered as the correct ${\mathsf{\alpha }}_0$.

$$h_0[t-1]=1$$

$$h_0[t-2]=g_{t-1}+({\mathsf{\alpha }}_0\times h_0[t-1])$$

$$h_0[t-3]=g_{t-2}+({\mathsf{\alpha }}_0\times h_0[t-2])$$

$$\dots$$

$$h_0\left[0\right]=g_1+({\mathsf{\alpha }}_0\times h_0\left[1\right])$$

$$a=g_0+({\mathsf{\alpha }}_0\times h_0\left[0\right])$$

$$h_0\left[0\right]=h_0\left[0\right]/a$$

$$h_0\left[1\right]=h_0\left[1\right]/a$$

$$\dots$$

$$h_0[t-1]=h_0[t-1]/a.$$

(12)

Algorithm 11 Analysis for $L_{sec}$

Input Power consumption values of POI of HyMES P ∈ Mat1 × 8t, A table log[], exp[] created with the primitive polynomial p(x), Goppa polynomial $g\left(z\right)=z^t+g_{t-1}{z}^{t-1}+\dots +g_0$

Output$L_{sec}=\{{\alpha }_0,\dots ,{\alpha }_{-1}\}$

1: for $i=0:n-1$ 2:  for $j=0:n-1$ 3:   $p{m}_1\leftarrow hw\left(j\right)$ 4:   $p{m}_2\leftarrow hw(log\left[j\right])$ 5:   $p{m}_3\leftarrow hw(log\left[j\right]+log\left[h_i[t-1]\right])$ 6:   $p{m}_4\leftarrow hw\left(mod(log\left[j\right]+log\left[h_i[t-1]\right])\right)$ 7:   $p{m}_5\leftarrow hw(exp\left[mod(log\left[j\right]+log\left[h_i[t-1]\right])\right])$ 8:   for $k=t-2:0$ 9:    $p{m}_{5(t-2-k)+6}\leftarrow hw\left(h_i\left[k\right]\right)$ 10:    $p{m}_{5(t-2-k)+7}\leftarrow hw(log\left[h_i\left[k\right]\right])$ 11:    $p{m}_{5(t-2-k)+8}\leftarrow hw(log\left[j\right]+log\left[h_i\left[k\right]\right])$ 12:    $p{m}_{5(t-2-k)+9}\leftarrow hw\left(mod(log\left[j\right]+log\left[h_i\left[k\right]\right])\right)$ 13:    $p{m}_{5(t-2-k)+9}\leftarrow hw(exp\left[mod(log\left[j\right]+log\left[h_i\left[k\right]\right])\right])$ 14:   end 15:   for $k=0:t-1$ 16:    $p{m}_{3k+5t+1}\leftarrow hw(log\left[h_i\left[k\right]\right]-log\left[a\right])$ 17:    $p{m}_{3k+5t+2}\leftarrow hw\left(mod(log\left[h_i\left[k\right]\right]-log\left[a\right])\right)$ 18:    $p{m}_{3k+5t+3}\leftarrow hw(exp\left[mod(log\left[h_i\left[k\right]\right]-log\left[a\right])\right])$ 19:   end 20:   $c{t}_j\leftarrow \rho (\mathbf{PM},\mathbf{T})$ 21:  end 22:  ${\mathsf{\alpha }}_i\leftarrow argma{x}_j\left(\mathbf{CT}\right)$ 23: end 24: return $L_{sec}=\{{\mathsf{\alpha }}_0,\dots ,{\mathsf{\alpha }}_{n-1}\}$

4. Experiment

In this section, we describe the experimental results of the proposed attack. The experiments were conducted by using simulated power traces under the assumption that the power consumption models follow Equation (8). We assume that the $\mathsf{\alpha }$ and $\mathsf{\beta }$ in Equation (8) are equal to 1 and 0 at all points. We use the parameters $m=11$ and $t=32$[6] for the analysis. We present the analysis results of the coefficients $g_{31}$ and ${\mathsf{\alpha }}_0$, where $g_{31}$ is the 32nd term of the secret key $g\left(z\right)$ and ${\mathsf{\alpha }}_0$ is the first element of the support $L_{sec}$. Although we only present experimental results for when $g_{31}$ is 1499 and ${\mathsf{\alpha }}_0$ is 999, similar results can be confirmed for other secret key values.

4.1. Find $g\left(z\right)$ Using Harmonic Mean Distance

To find $g_{31}$, we conducted an analysis by exploiting the joint distributions of two random variables $A={\mathsf{\alpha }}_i\times h_i[t-1]$ and $B=log\left[h_i[t-2]\right]=log[g_{t-1}\oplus {\mathsf{\alpha }}_i]$. The similarity between the theoretical distribution according to the guessing key $g_{31}^{\prime }$ and the distribution estimated from the simulation trace were obtained using three similarity comparison methods. The power consumption model is set to $\mathsf{\alpha }=1,\mathsf{\beta }=0$, and $\sigma =0.1$, where $\sigma$ is the noise standard deviation. Figure 1 shows the similarity between the theoretical distribution and the estimated distribution using HMD. Note that the smaller distance indicates high similarity between the two distributions.

When $g_{31}^{\prime }=1499$, the highest similarity was found at 0.0001016 and the second highest was fount at 0.007898 when $g_{31}^{\prime }=508$. This indicates that the difference between the distance of the correct key and the distance of the wrong key is not very large, so that when the noise value becomes large enough, the analysis failure rate rises. To solve this problem, two random variables $C=mod(log\left[{\mathsf{\alpha }}_i\right]+log\left[h_i[t-2]\right])$ and $D=exp\left[C\right]$ can be respectively added to A and B to form a joint distribution using four random variables in total. The use of four random variables magnifies the difference between the correct key and wrong key, which allows the correct key to be guessed with a higher success rate.

Figure 2 shows the result of HMD between the theoretical joint distribution and the estimated distribution constructed by using four random variables. The experimental result shows that the distance at $g_{31}^{\prime }=1499$ is 0.01776 and that the distance at $g_{31}^{\prime }=927$ is 0.3911. We found that the difference between the distance to the correct guessing key and the wrong key is larger when using four random variables than when using two random variables. As mentioned earlier, many random variables elaborates the joint distributions of the leakages.

Figure 3 shows the success rate of the attack according to the noise standard deviation. Recall that the attack is based on the joint distributions of leakages constructed by using two random variables. The success rate of the attack was measured by increasing the noise standard deviation from 0 to 2.5 in increments of 0.1. We analyzed 10,000 case according to the noise standard deviation. The experimental result using IPD shows that even if the noise standard deviation is zero, the success rate is still zero. The result when ${\chi }^2$PD is used shows that the success rate of the attack is 1 until the noise standard deviation reaches 0.3, and the success rate of the attack starts to decrease rapidly after 0.4. The result when HMD is used is the best among the results of the three methods. When the noise standard deviation is 0.4, the success rate of the attack begins to decrease to 0.9814.

Figure 4 shows the experimental results using four random variables. The other experimental conditions are the same as those shown in Figure 3. The success rate of the attack according to the noise standard deviation is highest when HMD is used. The success rate of the attack remains at 1 up to the noise standard deviation of 0.6, and then starts to decrease from 0.7 to 0.9823. Figure 4 shows that using four random variables improves the performance of the attack. However, in practice, environments with a noise standard deviation of 0.6 are extremely rare and can be difficult to analyze. The success rate of the attack is not high even in an environment where the noise standard deviation is small because of the errors between the estimated Hamming weight and the actual value used in constructing the estimated joint distribution.

Table 1. Performance of slice method.

$\mathsf{\alpha }$ = 1			$\mathsf{\alpha }$ = 2
$\mathit{N}$	$\mathsf{\sigma }$	Correct Rate	$\mathit{N}$	$\mathsf{\sigma }$	Correct Rate
	0.1	0.9581		0.1	0.9542
	0.5	0.6975		0.5	0.9335
	1	0.4293		1	0.6971
2048	2	0.2790	2048	2	0.4280
	3	0.2349		3	0.3268
	4	0.2149		4	0.2772
	5	0.2024		5	0.2503
	0.1	0.9846		0.1	0.9856
	0.5	0.7008		0.5	0.9532
	1	0.4288		1	0.7012
20480	2	0.2783	20480	2	0.4292
	3	0.2337		3	0.3272
	4	0.2144		4	0.2789
	5	0.2035		5	0.2509

shows the success rate of the slice method for the data with a maximum Hamming weight of 11. The success rate was calculated based on the noise standard deviation for the case of $\mathsf{\alpha }=1$ and the case of $\mathsf{\alpha }=2$. The data used is a random value according to the uniform distribution. The numbers of data point used were 2048, which is the minimum number for applying the slice method to 11-bit data, and 20,480, which is 10 times larger than the minimum number. The experimental result presented above shows that the more data points used and the larger the value of $\mathsf{\alpha }$, the better the performance of the slice method.

4.2. Find $g\left(z\right)$ Using Maximum Likelihood

If the Hamming weight of POI (Point of Interesting) is estimated with only one trace, it is very difficult to correct the error due to the noise. However, conducting an analysis using the maximum likelihood method [18] can improve the performance of the attack. This can be attributed to the fact that the maximum likelihood reflects the influence of the noise with probability. The results of the analysis of the maximum likelihood method are shown in Figure 5.

In the case of using two variables, the success rate of the attack remains at 1 up to a noise standard deviation of 0.4, which results in a smaller but better result than the result of the method shown in Figure 3. In the case of using four variables, the success rate of the attack remain at 1 up to a noise standard deviation of 1.3, which is about twice as high as the analysis result obtained using the best result HMD performance.

4.3. Find ${\mathsf{\alpha }}_0$

Figure 6 shows the success rate of the attack according to the noise standard deviation when the horizontal correlation power analysis is conducted with 256 partial traces to identify ${\mathsf{\alpha }}_0$. The success rate of the attack was measured by increasing the noise standard deviation from 0 to 2.5 in increments of 0.1. The horizontal correlation power analysis was performed 10,000 times according to the noise standard deviation. The success rate of the attack remains at 1 up to a noise standard deviation of 2.7, and then starts to decrease from 2.8.

4.4. Experiments Using Multiple Traces

In the previous experiments, only one trace was used for analysis. The experimental results obtained using the maximum likelihood yielded an analysis success rate of 1 up to a noise standard deviation of 1.3. However, the noise standard deviation of 1.3 is a small value in a typical actual analysis environment, and it may be difficult to analyze according to the trace collection environment. Therefore, we experimentally confirmed that the performance of the attack can be improved by using additional traces. For each experiment with one trace, we accumulate the scores from the most probable candidate key to the least probable candidate key. More concretely, 5–1 points were accumulated from the first candidate key to the fifth candidate key.

Figure 7 shows the experimental result obtained using 10 traces. The noise standard deviation was increased by 0.1. The analysis was conducted 10000 times for each noise standard deviation. The analysis performed for each trace is the maximum likelihood when using four variables. We performed a maximum likelihood analysis for each trace and used four random variables. The attack success rate remains at 1 up to a noise standard deviation of 2.1, and then begins to decrease from 2.2. In this paper, we experimented with 10 traces, but we can obtain better experimental results by using more traces.

5. Conclusions

In this paper, we analyzed HyMES by exploiting the joint distributions of leakages. We exploited the nonlinearity of the precomputation table used in calculating the column vector $h_i$ of the parity check matrix H in the decryption process. Previously, the side-channel analysis by exploiting the joint distributions of leakages was only investigated for the symmetric key cryptography. To the best of our knowledge, this is the first to analyze the public-key cryptosystem exploiting the joint distributions of leakages. The experimental results using a single simulated power trace show a success rate of 100% up to a noise standard deviation 1.3. We demonstrated that the proposed attack can be applied to all code-based cryptosystems that calculate $h_i$ in the manner proposed in Reference [6].