QC-MDPC: A Timing Attack and a CCA2 KEM

International audienceIn 2013, Misoczki, Tillich, Sendrier and Barreto proposed a variant of the McEliece cryptosystem based on quasi-cyclic moderate-density parity-check (QC-MDPC) codes. This proposal uses an iterative bit-flipping algorithm in its decryption procedure. Such algorithms fail with a small probability. At Asiacrypt 2016, Guo, Johansson and Stankovski (GJS) exploited these failures to perform a key recovery attack. They introduced the notion of the distance spectrum of a sparse vector and showed that the knowledge of the spectrum is enough to find the vector. By observing many failing plaintexts they recovered the distance spectrum of the QC-MDPC secret key. In this work, we explore the underlying causes of this attack, ways in which it can be improved, and how it can be mitigated. We prove that correlations between the spectrum of the key and the spectrum of the error induce a bias on the distribution of the syndrome weight. Hence, the syndrome weight is the fundamental quantity from which secret information leaks. Assuming a side-channel allows the observation of the syndrome weight, we are able to perform a key-recovery attack, which has the advantage of exploiting all known plaintexts, not only those leading to a decryption failure. Based on this study, we derive a timing attack. It performs well on most decoding algorithms, even on the recent variants where the decryption failure rate is low, a case which is more challenging to the GJS attack. To our knowledge, this is the first timing attack on a QC-MDPC scheme. Finally, we show how to construct a new KEM, called ParQ that can reduce the decryption failure rate to a level negligible in the security parameter, without altering the QC-MDPC parameters. This is done through repeated encryption. We formally prove the IND-CCA2 security of ParQ, in a model that considers decoding failures. This KEM offers smaller key sizes and is suitable for purposes where the public key is used statically

Ca2+-binding protein 2 inhibits Ca2+-channel inactivation in mouse inner hair cells

Ca2+ channels mediate excitation-secretion coupling and show little inactivation at sensory ribbon synapses, enabling reliable synaptic information transfer during sustained stimulation. Studies of Ca2+-channel complexes in HEK293 cells indicated that Ca2+-binding proteins (CaBPs) antagonize their calmodulin-dependent inactivation. Although human mutations affecting CABP2 were shown to cause hearing impairment, the role of CaBP2 in auditory function and the precise disease mechanism remained enigmatic. Here, we disrupted CaBP2 in mice and showed that CaBP2 is required for sound encoding at inner hair cell synapses, likely by suppressing Ca2+-channel inactivation. We propose that the number of activatable Ca2+ channels at the active zone is reduced when CaBP2 is lacking, as is likely the case with the newly described human CABP2 mutation

On the CCA2 Security of McEliece in the Standard Model

In this paper we study public-key encryption schemes based on error-correcting codes that are IND-CCA2 secure in the standard model. In particular, we analyze a protocol due to Dowsley, Muller-Quade and Nascimento, based on a work of Rosen and Segev. The original formulation of the protocol contained some ambiguities and incongruences, which we point out and correct; moreover, the protocol deviates substantially from the work it is based on. We then present a construction which resembles more closely the original Rosen-Segev framework, and show how this can be instantiated with the McEliece scheme

Timing attacks against the syndrome inversion in code-based cryptosystems

Abstract. In this work we present the first practical key-aimed timing attack against code-based cryptosystems. It arises from vulnerabilities that are present in the inversion of the error syndrome through the Extended Euclidean Algorithm that is part of the decryption operation of these schemes. Three types of timing vulnerabilities are combined to a successful attack. Each is used to gain information about the secret support, which is part of code-based decryption keys: The first allows recovery of the zero-element, the second is a refinement of a previously described vulnerability yielding linear equations, and the third enables to retrieve cubic equations