Cryptology ePrint Archive: Report 2021/1631

Secure Sampling of Constant-Weight Words – Application to BIKE

Nicolas Sendrier

Abstract: The pseudo-random sampling of constant weight word, as it is currently implemented in schemes like BIKE or HQC, is prone to the leakage of information on the seed being used. This creates a vulnerability when the semantic security conversion requires a deterministic re-encryption. This observation was first made in [HLS21] about HQC, and a timing attack was presented to recover the secret key. As suggested in [HLS21] a similar attack applies to BIKE and an instance of such an attack is presented here, as well as countermeasures similar to those suggested in [HLS21] for HQC. A new approach for fixing the issue is also proposed. It is first remarked that, contrary to what is done currently, the sampling of constant weight words doesn’t need to produce a uniformly distributed output. If the distribution is close to uniform in the appropriate metric, the impact on security is negligible. Also, a new variant of Fisher-Yates shuffle is proposed which is (1) very well suited for secure implementations against timing and cache attacks, and (2) produces constant weight words with a distribution close enough to uniform.

Category / Keywords: public-key cryptography / BIKE, timing attack, constant-weight words

Date: received 14 Dec 2021

Contact author: nicolas sendrier at inria fr

Available format(s): PDF | BibTeX Citation

Version: 20211217:142141 (All versions of this report)

Short URL: ia.cr/2021/1631


[ Cryptology ePrint archive ]