A Power Side-Channel Attack on the CCA2-Secure HQC KEM

The Hamming Quasi-Cyclic (HQC) proposal is a promising candidate in the second round of the NIST Post-Quantum cryptography Standardization project. It features small public key sizes, precise estimation of its decryption failure rates and contrary to most of the code-based systems, its security does not rely on hiding the structure of an error-correcting code. In this paper, we propose the first power side-channel attack on the Key Encapsulation Mechanism (KEM) version of HQC. Our attack utilizes a power side-channel to build an oracle that outputs whether the BCH decoder in HQC\u27s decryption algorithm corrects an error for a chosen ciphertext. Based on the decoding algorithm applied in HQC, it is shown how to design queries such that the output of the oracle allows to retrieve a large part of the secret key. The remaining part of the key can then be determined by an algorithm based on linear algebra. It is shown in experiments that less than 10000 measurements are sufficient to successfully mount the attack on the HQC reference implementation running on an ARM Cortex-M4 microcontroller

A Power Side-Channel Attack on the Reed-Muller Reed-Solomon Version of the HQC Cryptosystem

The code-based post-quantum algorithm Hamming Quasi-Cyclic (HQC) is a fourth round candidate in the NIST standardization project. Since their third round version the authors utilize a new combination of error correcting codes, namely a combination of a Reed-Muller and a Reed-Solomon code, which requires an adaption of published attacks. We identify that the power side-channel attack by Uneo et al. from CHES 2021 does not work in practice as they miss the fact that the implemented Reed-Muller decoder does not have a fixed decoding boundary. In this work we provide a novel attack strategy that again allows for a successful attack. Our attack does not rely on simulation to verify its success but is proven with high probability for the HQC parameter sets. In contrast to the timing side-channel attack by Guo et al. we are able to reduce the required attack queries by a factor of 12 and are able to eliminate the inherent uncertainty of their used timing oracle. We show practical attack results utilizing a power side-channel of the used Reed-Solomon decoder on an ARM Cortex-M4 microcontroller. In addition, we provide a discussion on how or whether our attack strategy is usable with the side-channel targets of mentioned related work. Finally, we use information set decoding to evaluate the remaining attack complexity for partially retrieved secret keys. This work again emphasizes the need for a side-channel secure implementation of all relevant building blocks of HQC

Information-Set Decoding with Hints

This paper studies how to incorporate small information leakages (called “hints”) into information-set decoding (ISD) algorithms. In particular, the influence of these hints on solving the (n, k, t)-syndrome-decoding problem (SDP), i.e., generic syndrome decoding of a code of length n, dimension k, and an error of weight t, is analyzed. We motivate all hints by leakages obtainable through realistic side-channel attacks on code-based post-quantum cryptosystems. One class of studied hints consists of partial knowledge of the error or message, which allow to reduce the length, dimension, or error weight using a suitable transformation of the problem. As a second class of hints, we assume that the Hamming weights of subblocks of the error are known, which can be motivated by a template attack. We present adapted ISD algorithms for this type of leakage. For each third-round code-based NIST submission (Classic McEliece, BIKE, HQC), we show how many hints of each type are needed to reduce the work factor below the claimed security level. E.g., for Classic McEliece mceliece348864, the work factor is reduced below 2^128 for 175 known message entries, 9 known error locations, 650 known error-free positions, or known Hamming weights of 29 subblocks of roughly equal size

FuLeeca: A Lee-based Signature Scheme

In this work we introduce a new code-based signature scheme, called \textsf{FuLeeca}, based on the NP-hard problem of finding codewords of given Lee-weight. The scheme follows the Hash-and-Sign approach applied to quasi-cyclic codes. Similar approaches in the Hamming metric have suffered statistical attacks, which revealed the small support of the secret basis. Using the Lee metric, we are able to thwart such attacks. We use existing hardness results on the underlying problem and study adapted statistical attacks. We propose parameters for \textsf{FuLeeca}~and compare them to an extensive list of proposed post-quantum secure signature schemes including the ones already standardized by NIST. This comparison reveals that \textsf{FuLeeca}~is competitive. For example, for NIST category I, i.e., 160 bit of classical security, we obtain an average signature size of 1100 bytes and public key sizes of 1318 bytes. Comparing the total communication cost, i.e., the sum of the signature and public key size, we see that \textsf{FuLeeca} is only outperformed by Falcon while the other standardized schemes Dilithium and SPHINCS+ show larger communication costs than \textsf{FuLeeca}

Molecular profiling of single circulating tumor cells with diagnostic intention

Several hundred clinical trials currently explore the role of circulating tumor cell (CTC) analysis for therapy decisions, but assays are lacking for comprehensive molecular characterization of CTCs with diagnostic precision. We therefore combined a workflow for enrichment and isolation of pure CTCs with a non-random whole genome amplification method for single cells and applied it to 510 single CTCs and 189 leukocytes of 66 CTC-positive breast cancer patients. We defined a genome integrity index (GII) to identify single cells suited for molecular characterization by different molecular assays, such as diagnostic profiling of point mutations, gene amplifications and whole genomes of single cells. The reliability of >90% for successful molecular analysis of high-quality clinical samples selected by the GII enabled assessing the molecular heterogeneity of single CTCs of metastatic breast cancer patients. We readily identified genomic disparity of potentially high relevance between primary tumors and CTCs. Microheterogeneity analysis among individual CTCs uncovered pre-existing cells resistant to ERBB2-targeted therapies suggesting ongoing microevolution at late-stage disease whose exploration may provide essential information for personalized treatment decisions and shed light into mechanisms of acquired drug resistance

Molecular profiling of single circulating tumor cells with diagnostic intention

Several hundred clinical trials currently explore the role of circulating tumor cell (CTC) analysis for therapy decisions, but assays are lacking for comprehensive molecular characterization of CTCs with diagnostic precision. We therefore combined a workflow for enrichment and isolation of pure CTCs with a non-random whole genome amplification method for single cells and applied it to 510 single CTCs and 189 leukocytes of 66 CTC-positive breast cancer patients. We defined a genome integrity index (GII) to identify single cells suited for molecular characterization by different molecular assays, such as diagnostic profiling of point mutations, gene amplifications and whole genomes of single cells. The reliability of >90% for successful molecular analysis of high-quality clinical samples selected by the GII enabled assessing the molecular heterogeneity of single CTCs of metastatic breast cancer patients. We readily identified genomic disparity of potentially high relevance between primary tumors and CTCs. Microheterogeneity analysis among individual CTCs uncovered pre-existing cells resistant to ERBB2-targeted therapies suggesting ongoing microevolution at late-stage disease whose exploration may provide essential information for personalized treatment decisions and shed light into mechanisms of acquired drug resistance

A measurement of the W boson mass using large rapidity electrons

We present a measurement of the W boson mass using data collected by the D0 experiment at the Fermilab Tevatron during 1994--1995. We identify W bosons by their decays to e-nu final states where the electron is detected in a forward calorimeter. We extract the W boson mass, Mw, by fitting the transverse mass and transverse electron and neutrino momentum spectra from a sample of 11,089 W -> e nu decay candidates. We use a sample of 1,687 dielectron events, mostly due to Z -> ee decays, to constrain our model of the detector response. Using the forward calorimeter data, we measure Mw = 80.691 +- 0.227 GeV. Combining the forward calorimeter measurements with our previously published central calorimeter results, we obtain Mw = 80.482 +- 0.091 GeV

Limits on WWZ and WW\gamma couplings from p\bar{p}\to e\nu jj X events at \sqrt{s} = 1.8 TeV

We present limits on anomalous WWZ and WW-gamma couplings from a search for WW and WZ production in p-bar p collisions at sqrt(s)=1.8 TeV. We use p-bar p -> e-nu jjX events recorded with the D0 detector at the Fermilab Tevatron Collider during the 1992-1995 run. The data sample corresponds to an integrated luminosity of 96.0+-5.1 pb^(-1). Assuming identical WWZ and WW-gamma coupling parameters, the 95% CL limits on the CP-conserving couplings are -0.33<lambda<0.36 (Delta-kappa=0) and -0.43<Delta-kappa<0.59 (lambda=0), for a form factor scale Lambda = 2.0 TeV. Limits based on other assumptions are also presented.Comment: 11 pages, 2 figures, 2 table

Search For Heavy Pointlike Dirac Monopoles

We have searched for central production of a pair of photons with high transverse energies in $p\bar p$ collisions at $\sqrt{s} = 1.8$ TeV using $70 pb^{-1}$ of data collected with the D\O detector at the Fermilab Tevatron in 1994--1996. If they exist, virtual heavy pointlike Dirac monopoles could rescatter pairs of nearly real photons into this final state via a box diagram. We observe no excess of events above background, and set lower 95% C.L. limits of $610, 870, or 1580 GeV/c^2$ on the mass of a spin 0, 1/2, or 1 Dirac monopole.Comment: 12 pages, 4 figure