Paper 2021/1631

Secure Sampling of Constant-Weight Words – Application to BIKE

Nicolas Sendrier


The pseudo-random sampling of constant weight word, as it is currently implemented in schemes like BIKE or HQC, is prone to the leakage of information on the seed being used. This creates a vulnerability when the semantic security conversion requires a deterministic re-encryption. This observation was first made in [HLS21] about HQC, and a timing attack was presented to recover the secret key. As suggested in [HLS21] a similar attack applies to BIKE and an instance of such an attack is presented here, as well as countermeasures similar to those suggested in [HLS21] for HQC. A new approach for fixing the issue is also proposed. It is first remarked that, contrary to what is done currently, the sampling of constant weight words doesn’t need to produce a uniformly distributed output. If the distribution is close to uniform in the appropriate metric, the impact on security is negligible. Also, a new variant of Fisher-Yates shuffle is proposed which is (1) very well suited for secure implementations against timing and cache attacks, and (2) produces constant weight words with a distribution close enough to uniform.

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
BIKEtiming attackconstant-weight words
Contact author(s)
nicolas sendrier @ inria fr
2021-12-17: received
Short URL
Creative Commons Attribution


      author = {Nicolas Sendrier},
      title = {Secure Sampling of Constant-Weight Words – Application to BIKE},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1631},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.