https://hal.inria.fr/hal-01949590Eaton, EdwardEdwardEatonISARA CorporationLequesne, MatthieuMatthieuLequesneSECRET - Security, Cryptology and Transmissions - Inria de Paris - Inria - Institut National de Recherche en Informatique et en AutomatiqueSU - Sorbonne UniversiteĢParent, AlexAlexParentISARA CorporationSendrier, NicolasNicolasSendrierSECRET - Security, Cryptology and Transmissions - Inria de Paris - Inria - Institut National de Recherche en Informatique et en AutomatiqueQC-MDPC: A Timing Attack and a CCA2 KEMHAL CCSD2018Side-channel attackCode-based cryptographyQC-MDPC codesCCA2 securityTiming attackPost-quantum cryptographyKey encapsulation[INFO.INFO-CR] Computer Science [cs]/Cryptography and Security [cs.CR][MATH.MATH-IT] Mathematics [math]/Information Theory [math.IT]Lequesne, Matthieu2018-12-10 11:28:592022-12-09 12:20:512018-12-10 13:04:00enConference papershttps://hal.inria.fr/hal-01949590/document10.1007/978-3-319-79063-3_3application/pdf1In 2013, Misoczki, Tillich, Sendrier and Barreto proposed a variant of the McEliece cryptosystem based on quasi-cyclic moderate-density parity-check (QC-MDPC) codes. This proposal uses an iterative bit-flipping algorithm in its decryption procedure. Such algorithms fail with a small probability. At Asiacrypt 2016, Guo, Johansson and Stankovski (GJS) exploited these failures to perform a key recovery attack. They introduced the notion of the distance spectrum of a sparse vector and showed that the knowledge of the spectrum is enough to find the vector. By observing many failing plaintexts they recovered the distance spectrum of the QC-MDPC secret key. In this work, we explore the underlying causes of this attack, ways in which it can be improved, and how it can be mitigated. We prove that correlations between the spectrum of the key and the spectrum of the error induce a bias on the distribution of the syndrome weight. Hence, the syndrome weight is the fundamental quantity from which secret information leaks. Assuming a side-channel allows the observation of the syndrome weight, we are able to perform a key-recovery attack, which has the advantage of exploiting all known plaintexts, not only those leading to a decryption failure. Based on this study, we derive a timing attack. It performs well on most decoding algorithms, even on the recent variants where the decryption failure rate is low, a case which is more challenging to the GJS attack. To our knowledge, this is the first timing attack on a QC-MDPC scheme. Finally, we show how to construct a new KEM, called ParQ that can reduce the decryption failure rate to a level negligible in the security parameter, without altering the QC-MDPC parameters. This is done through repeated encryption. We formally prove the IND-CCA2 security of ParQ, in a model that considers decoding failures. This KEM offers smaller key sizes and is suitable for purposes where the public key is used statically.