Paper 2019/292

Timing attacks on Error Correcting Codes in Post-Quantum Schemes

Jan-Pieter D'Anvers, Marcel Tiepelt, Frederik Vercauteren, and Ingrid Verbauwhede


While error correcting codes (ECC) have the potential to significantly reduce the failure probability of post-quantum schemes, they add an extra ECC decoding step to the algorithm. Even though this additional step does not compute directly on the secret key, it is susceptible to side-channel attacks. We show that if no precaution is taken, it is possible to use timing information to distinguish between ciphertexts that result in an error before decoding and ciphertexts that do not contain errors, due to the variable execution time of the ECC decoding algorithm. We demonstrate that this information can be used to break the IND-CCA security of post-quantum secure schemes by presenting an attack on two round 1 candidates to the NIST Post-Quantum Standardization Process: the Ring-LWE scheme LAC and the Mersenne prime scheme Ramstake. This attack recovers the full secret key using a limited number of timed decryption queries and is implemented on the reference and the optimized implementations of both submissions. It is able to retrieve LAC's secret key for all security levels in under 2 minutes using less than $2^{16}$ decryption queries and Ramstake's secret key in under 2 minutes using approximately $2400$ decryption queries. The attack generalizes to other lattice-based schemes with ECC in which any side-channel information about the presence of errors is leaked during decoding.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Theory of Implementation Security (TIS) 2019
Post-Quantum CryptographyDecryption FailuresSide-Channel Attacks
Contact author(s)
janpieter danvers @ esat kuleuven be
2019-09-03: revised
2019-03-19: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jan-Pieter D'Anvers and Marcel Tiepelt and Frederik Vercauteren and Ingrid Verbauwhede},
      title = {Timing attacks on Error Correcting Codes in Post-Quantum Schemes},
      howpublished = {Cryptology ePrint Archive, Paper 2019/292},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.