Paper 2021/1485

Don't Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE

Qian Guo, Clemens Hlauschek, Thomas Johansson, Norman Lahr, Alexander Nilsson, and Robin Leander Schröder


Well before large-scale quantum computers will be available, traditional cryptosystems must be transitioned to post-quantum (PQ) secure schemes. The NIST PQC competition aims to standardize suitable cryptographic schemes. Candidates are evaluated not only on their formal security strengths, but are also judged based on the security with regard to resistance against side-channel attacks. Although round 3 candidates have already been intensively vetted with regard to such attacks, one important attack vector has hitherto been missed: PQ schemes often rely on rejection sampling techniques to obtain pseudorandomness from a specific distribution. In this paper, we reveal that rejection sampling routines that are seeded with secret-dependent information and leak timing information result in practical key recoveryattacks in the code-based key encapsulation mechanisms HQC and BIKE. Both HQC and BIKE have been selected as alternate candidates in the third round of the NIST competition, which puts them on track for getting standardized separately to the finalists. They have already been specifically hardened with constant-time decoders to avoid side-channel attacks. However, in this paper, we show novel timing vulnerabilities in both schemes: (1) Our secret key recovery attack on HQC requires only approx. 866,000 idealized decapsulation timing oracle queries in the 128-bit security setting. It is structurally different from previously identified attacks on the scheme: Previously, exploitable side-channel leakages have been identified in the BCH decoder of a previously submitted HQC version, in the ciphertext check as well as in the pseudorandom function of the Fujisaki-Okamoto transformation. In contrast, our attack uses the fact that the rejection sampling routine invoked during the deterministic re-encryption of the decapsulation leaks secret-dependent timing information, which can be efficiently exploited to recover the secret key when HQC is instantiated with the (now constant-time) BCH decoder, as well as with the RMRS decoder of the current submission. (2) From the timing information of the constant weight word sampler in the BIKE decapsulation, we demonstrate how to distinguish whether the decoding step is successful or not, and how this distinguisher is then used in the framework of the GJS attack to derive the distance spectrum of the secret key, using 5.8 x 10^7 idealized timing oracle queries. We provide details and analyses of the fully implemented attacks, as well as a discussion on possible countermeasures and their limits.

Available format(s)
Public-key cryptography
Publication info
Timing AttackRejection SamplingFujisaki-Okamoto TransformationPost-Quantum CryptographyHQCBIKE
Contact author(s)
qian guo @ eit lth se
clemens hlauschek @ inso tuwien ac at
thomas johansson @ eit lth se
norman @ lahr email
alexander nilsson @ eit lth se
leander schroeder @ inso tuwien ac at
2022-03-10: last of 3 revisions
2021-11-15: received
See all versions
Short URL
Creative Commons Attribution


      author = {Qian Guo and Clemens Hlauschek and Thomas Johansson and Norman Lahr and Alexander Nilsson and Robin Leander Schröder},
      title = {Don't Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1485},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.