## CryptoDB

### Paper: Message-recovery Laser Fault Injection Attack on the Classic McEliece Cryptosystem

Authors: Pierre-Louis Cayrel , Univ. Lyon, UJM-Saint-Etienne, CNRS, Laboratoire Hubert Curien UMR 5516, F-42023, Saint-Etienne, France Brice Colombier , Univ. Grenoble Alpes, CNRS, Grenoble INP, TIMA, Grenoble, France Vlad-Florin Dragoi , Department of Mathematics and Computer Sciences, Aurel Vlaicu University of Arad, Bd. Revolutiei, No. 77, 310130-Arad, Romania Alexandre Menu , IMT, Mines Saint-Etienne, Centre CMP, Equipe Commune CEA Tech - Mines Saint-Etienne F-13541 Gardanne FRANCE Lilian Bossuet , Univ. Lyon, UJM-Saint-Etienne, CNRS, Laboratoire Hubert Curien UMR 5516, F-42023, Saint-Etienne, France DOI: 10.1007/978-3-030-77886-6_15 (login may be required) Search ePrint Search Google Slides EUROCRYPT 2021 Code-based public-key cryptosystems are promising candidates for standardization as quantum-resistant public-key cryptographic algorithms. Their security is based on the hardness of the syndrome decoding problem. Computing the syndrome in a finite field, usually $\F_{2}$, guarantees the security of the constructions. We show in this article that the problem becomes considerably easier to solve if the syndrome is computed in $\mathbb{N}$ instead. By means of laser fault injection, we illustrate how to force the matrix-vector product in $\mathbb{N}$ by corrupting specific instructions, and validate it experimentally. To solve the syndrome decoding problem in $\mathbb{N}$, we propose a reduction to an integer linear programming problem. We leverage the computational efficiency of linear programming solvers to obtain real-time message recovery attacks against all the code-based proposals to the NIST Post-Quantum Cryptography standardization challenge. We perform our attacks on worst-case scenarios, i.e. random binary codes, and retrieve the initial message within minutes on a desktop computer. Our practical evaluation of the attack targets the reference implementation of the Niederreiter cryptosystem in the NIST finalist \textit{Classic McEliece} and is feasible for all proposed parameters sets of this submission. For example, for the 256-bit security parameters sets, we successfully recover the plaintext in a couple of seconds on a desktop computer Finally, we highlight the fact that the attack is still possible if only a fraction of the syndrome entries are faulty. This makes the attack feasible even though the fault injection does not have perfect repeatability and reduces the computational complexity of the attack, making it even more practical overall.
##### BibTeX
@inproceedings{eurocrypt-2021-30807,
title={Message-recovery Laser Fault Injection Attack on the Classic McEliece Cryptosystem},
publisher={Springer-Verlag},
doi={10.1007/978-3-030-77886-6_15},
author={Pierre-Louis Cayrel and Brice Colombier and Vlad-Florin Dragoi and Alexandre Menu and Lilian Bossuet},
year=2021
}