The Hamming Quasi-Cyclic (HQC) cryptosystem was selected for standardization in the 4th round of the NIST post-quantum standardization competition targeting Public-key Encryption and Key-establishment algorithms. In this paper, we propose a profiling power side-channel attack on a HQC cryptosystem exploiting power consumption leakage during polynomial multiplication in the beginning of the decryption. The new attack scheme is based on generic methods such as Welch’s ANOVA test or multilayer perceptron with a grid-search algorithm used for the hyperparameter tuning. Consequently, it is easily extendable also to other side-channel attacks. Results of the practical evaluation are presented, using a 32-bit STM32F303 Arm Cortex-M4 processor as a target. We show that a trained model is able to recover the correct key bit from large majority of tests – in the practical evaluation, maximum 6 out of 20 000 tests failed in recovering the correct key bit. For the testing, we follow a single-trace scenario, which assumes that only one decryption power trace is available.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Profiling Side-Channel Attack on HQC Polynomial Multiplication Using Machine Learning Methods

  • Tomáš Rabas,
  • Jiří Buček,
  • Vincent Grosso,
  • Karolína Zenknerová,
  • Róbert Lórencz

摘要

The Hamming Quasi-Cyclic (HQC) cryptosystem was selected for standardization in the 4th round of the NIST post-quantum standardization competition targeting Public-key Encryption and Key-establishment algorithms. In this paper, we propose a profiling power side-channel attack on a HQC cryptosystem exploiting power consumption leakage during polynomial multiplication in the beginning of the decryption. The new attack scheme is based on generic methods such as Welch’s ANOVA test or multilayer perceptron with a grid-search algorithm used for the hyperparameter tuning. Consequently, it is easily extendable also to other side-channel attacks. Results of the practical evaluation are presented, using a 32-bit STM32F303 Arm Cortex-M4 processor as a target. We show that a trained model is able to recover the correct key bit from large majority of tests – in the practical evaluation, maximum 6 out of 20 000 tests failed in recovering the correct key bit. For the testing, we follow a single-trace scenario, which assumes that only one decryption power trace is available.