Paper 2022/1529

Key-Recovery Fault Injection Attack on the Classic McEliece KEM

Sabine Pircher, Technical University of Munich, HENSOLDT Cyber GmbH
Johannes Geier, Technical University of Munich
Julian Danner, University of Passau
Daniel Mueller-Gritschneder, Technical University of Munich
Antonia Wachter-Zeh, Technical University of Munich

We present a key-recovery fault injection attack on the Classic McEliece Key Encapsulation Mechanism (KEM). The fault injections target the error-locator polynomial of the Goppa code and the validity checks in the decryption algorithm, making a chosen ciphertext attack possible. Faulty decryption outputs are used to generate a system of polynomial equations in the secret support elements of the Goppa code. After solving the equations, we can determine a suitable Goppa polynomial and form an alternative secret key. To demonstrate the feasibility of the attack on hardware, we simulate the fault injections on virtual prototypes of two RISC-V cores at register-transfer level.

Available format(s)
Attacks and cryptanalysis
Publication info
Post-Quantum Cryptography Key Recovery Fault Attack Classic McEliece
Contact author(s)
sabine pircher @ tum de
johannes geier @ tum de
julian danner @ uni-passau de
daniel mueller @ tum de
antonia wachter-zeh @ tum de
2022-11-07: approved
2022-11-04: received
See all versions
Short URL
Creative Commons Attribution


      author = {Sabine Pircher and Johannes Geier and Julian Danner and Daniel Mueller-Gritschneder and Antonia Wachter-Zeh},
      title = {Key-Recovery Fault Injection Attack on the Classic McEliece KEM},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1529},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.