Zhuo Huang, Weijia Wang, Xiaogang Zhou, Yu Yu

DPA-Style Attacks on HQC

Introduction

Dpa-style attacks on hqc. Discover a new chosen-ciphertext DPA-style attack methodology against HQC, a NIST post-quantum cryptographic standard. Recover secrets with few traces, even on masked implementations. Highlights the need for stronger countermeasures.

Abstract

HQC (Hamming Quasi-Cyclic) was selected as the fifth algorithm in the NIST suite of post-quantum cryptographic (PQC) standards. As the only code-based algorithm currently standardized by NIST, HQC offers a good balance between security assurance, performance, and implementation simplicity. Most existing power analyses against HQC are of the SPA style: they can recover secrets with a small number of traces, but can only tolerate limited noise. In this paper, we develop a chosen-ciphertext DPA-style attack methodology against HQC. We formalize a dedicated chosen-ciphertext setting in which the adversary selects (u, v) to target the intermediate value v ⊕ (uy) over F2[x]/(xn − 1). We further optimize the attack by reducing its computational complexity and generalizing it to target masked HQC implementations. The proposed approach is validated through both simulation and practical experiments. In noiseless simulations, full-key recovery is achieved with just 10 traces, and the required number of traces increases linearly with 1/SNR. In practical evaluations on an STM32F4 microcontroller, the secret key can be recovered with 50 traces without profiling and 20 traces with profiling. When first-order masking is applied, key recovery on the same hardware target remains feasible by exploiting second-order features, requiring approximately 3,000 traces without profiling. Our results establish a direct and analyzable connection between leakage on v ⊕ (uy) and end-to-end key recovery, emphasizing the necessity of higher-order masking countermeasures for HQC implementations.

Review

This paper presents a significant contribution to the side-channel analysis of HQC, a code-based post-quantum cryptographic standard. Building upon the existing landscape of mostly SPA-style attacks, the authors introduce a novel chosen-ciphertext DPA-style attack methodology. This is particularly relevant as HQC is the sole code-based algorithm standardized by NIST, and understanding its practical vulnerabilities is crucial for secure deployment. The core of their methodology lies in formalizing a dedicated chosen-ciphertext setting to target the intermediate value `v ⊕ (uy)` over F2[x]/(xn − 1), a critical departure from previous approaches that often targeted simpler, noiseless scenarios. The developed attack is rigorously validated through both simulations and practical experiments. In noiseless simulations, the attack demonstrates remarkable efficiency, achieving full-key recovery with as few as 10 traces, with the required trace count scaling linearly with 1/SNR. More importantly, practical evaluations on an STM32F4 microcontroller confirm its feasibility, recovering the secret key with 50 traces without profiling and a mere 20 traces with profiling. A significant strength of this work is its extension to masked implementations: even with first-order masking applied, the attack successfully recovers the key on the same hardware by exploiting second-order features, albeit requiring a higher but still practical 3,000 traces without profiling. The findings of this paper establish a direct and analyzable connection between the leakage from the `v ⊕ (uy)` operation and end-to-end key recovery for HQC. This work not only highlights a critical vulnerability in practical HQC implementations but also provides concrete evidence of the necessity for robust countermeasures. The clear demonstration of the attack's efficacy against both unmasked and first-order masked implementations strongly emphasizes the urgent need for higher-order masking techniques to secure HQC against sophisticated DPA-style side-channel attacks. This research is invaluable for both implementers and security evaluators of HQC.

Full Text

Comments

You need to be logged in to post a comment.