Higher-Order Masking Scheme against DPA Attack in Practice: McEliece Cryptosystem Based on QD-MDPC Code

Abstract

A code-based cryptosystem can resist quantum-computing attacks. However, an original system based on the Goppa code has a large key size, which makes it unpractical in embedded devices with limited sources. Many special error-correcting codes have recently been developed to reduce the key size, and yet these systems are easily broken through side channel attacks, particularly differential power analysis (DPA) attacks, when they are applied to hardware devices. To address this problem, a higher-order masking scheme for a McEliece cryptosystem based on the quasi-dyadic moderate density parity check (QD-MDPC) code has been proposed. The proposed scheme has a small key size and is able to resist DPA attacks. In this paper, a novel McEliece cryptosystem based on the QD-MDPC code is demonstrated. The key size of this novel cryptosystem is reduced by 78 times, which meets the requirements of embedded devices. Further, based on the novel cryptosystem, a higher-order masking scheme was developed by constructing an extension Ishai-Sahai-Wagne (ISW) masking scheme. The authenticity and integrity analysis verify that the proposed scheme has higher security than conventional approaches. Finally, a side channel attack experiment was also conducted to verify that the novel masking system is able to defend against high-order DPA attacks on hardware devices. Based on the experimental validation, it can be concluded that the proposed higher-order masking scheme can be applied as an advanced protection solution for devices with limited resources.

1. Introduction

1.1 introduction

With the rapid development of quantum-computing theory and technology, traditional public key cryptosystems face high security risks [1]. According to the principle of Shor’s algorithm, many researchers believe that cryptosystems based on the number theory problem will no longer be safe in the age of quantum computers. However, public key cryptosystems based on coding theory will be able to resist quantum-computing attacks [2]. In 1978, the original code-based cryptosystem, the McEliece public cryptosystem based on the Goppa code, was proposed [3]. Compared with a traditional public key cryptosystem, code-based cryptography is of higher efficiency during the encryption and decryption process. However, the large key size of the original McEliece makes it difficult to be applied in practice on embedded devices with limited resources [4]. Recently, to reduce the key size, some improved McEliece cryptosystems have been developed based on various types of error correcting codes such as the LDPC, MDPC, QC-MDPC, and QD-Goppa codes [5-8]. Although these improved cryptosystems satisfy the application requirements of embedded devices, they cannot defend against side channel attacks [9].

The most widely used technique for implementing a side channel attack is a power analysis method. Among all power analysis methods, the differential power analysis (DPA) attack is most threatening to cryptographic algorithms [10, 11] because of the low implementation cost, large attack intensity, and small key search space. Therefore, many studies have been conducted on defending against DPA attacks [12-14]. As of now, there are two developed defense technologies against DPA attacks, namely, masking technology [13] and hiding technology [14]. Among them, masking technology is more popularly applied owing to its relatively low cost.

On the other hand, code-based cryptography against DPA attacks has also been proposed [15, 16]. In 2014, Maurich et al. proposed the use of a masking scheme for code-based cryptosystems by adding redundancy calculations [15]. However, this scheme can only resist a simple power analysis (SPA), but not a DPA attack. In 2016, Chen et al. proposed a masking scheme that uses the principle of secret sharing to protect the key and syndrome matrix of a code-based cryptosystem [16]. The scheme is able to defend against low-order DPA attacks, although its high-order DPA defense capability is very limited [17].

In this paper, a masking scheme for McEliece cryptosystems based on the QD-MDPC code is presented. The proposed scheme is able to defend against higher-order DPA attacks. The design of the scheme is divided into two parts. (1) First, a novel QD-MDPC McEliece cryptosystem and a QD-MDPC code are constructed. Compared with the original scheme, the key size of the novel scheme has been reduced by 78 times, and a lower complexity is achieved. At the same time, structural and decoding attack tests were conducted and successfully defended, which verifies the security of the new scheme. (2) Based on the new cryptosystems, a higher-order masking scheme is proposed by extending the ISW security-masking scheme over \(\mathrm{F}_{2} \mathrm{n}\) . A side-channel attack experiment for the masking scheme on the FPGA platform has been conducted. The experimental results verify that the proposed scheme is able defend against high-order DPA attacks.

The rest of the paper is organized as follows: In Section 2, the related basic knowledge and information are reviewed. In Section 3, a novel McEliece cryptosystem designed through the construction of the QD-MDPC code is described, and the complexity and security of the novel scheme are analyzed. In Section 4, a higher-order masking scheme for the QD-MDPC McEliece cryptosystem is proposed. In Section 5, a side-channel attack experiment conducted on the masking scheme is discussed. Finally, Section 6 presents some concluding remarks regarding this research.

2. Preliminaries

2.1 Code-Based Cryptosystem

• Coding Theory [18] Definition 1 (linear codes). A binary (n, r) linear code C with length n, dimension n-r, and co-dimension r is a \((n-r)\)-dimensional vector subspace of \(\mathrm{F}_{2} n\) . It is spanned by the rows of a matrix\(G \in \mathrm{F}_{2}^{k \times n}\) , called a generator matrix of C. Equivalently, it is the kernel of a matrix ∈ F2 × , called a parity-check matrix of C. The codeword \(c \in C\) of a vector \(m \in \mathrm{F}_{2}^{(n-r) \times n}\) is \(c=m G\) . The syndrome \(\boldsymbol{s} \in \mathbb{F}_{2}^{r}\) of a vector \(e \in \mathrm{F}_{2}^{n}\) is \(s=H e^{T}\) .

Definition 2 (Hamming weight). The Hamming weight of a vector \(x_{1}, x_{2}, \ldots, x_{n} \in F_{2}^{n}\) is the numberw \(w t(x)\) of its non-zero components.

Definition 3 (dyadic matrix). Here, R is a ring, and vector \(h=\left(h_{0}, \cdots, h_{n-1}\right) \in R^{n}\). The dyadic matrix \(\Delta(h) \in R^{n \times n}\) is a symmetric matrix with components \(\Delta_{i, j}=h_{i \oplus j}\) , where ⨁ denotes a bitwise exclusive-or. Sequence \(h\) is the seed of the dyadic matrix. The form of △ (ℎ) follows formula (1).

\(\Delta(h)=\left[\begin{array}{ccc} {h_{0 \oplus 0}} & {\cdots} & {h_{0 \oplus n}} \\ {\vdots} & {\ddots} & {\vdots} \\ {h_{n \oplus 0}} & {\cdots} & {h_{n \oplus n}} \end{array}\right]\)       (1)

A quasi-dyadic matrix contains several dyadic matrices. If n is a power of 2, then a \(2^{k} \times 2^{k}\) dyadic matrix M can be recursively characterized as \(M=\left[\begin{array}{ll} {A} & {B} \\ {B} & {A} \end{array}\right]\) , where A and B are \(2^{k-1} \times 2^{k-1}\) dyadic submatrices. It is clear that the seed \(h=\left(h_{0}, \cdots, h_{n-1}\right)\) of a dyadic matrix coincides with its first row, and each row is a permutation of h.

Definition 4 (MDPC code). A (n, r, w) MDPC code is easily generated by picking a random \(r \times n\) matrix with rows of weight w: (1) Generate r vectors\(\left(h_{i} \in \mathrm{F}_{2} \mathrm{n}\right)_{0 \leq i \leq r}\) of weight w uniformly at random. (2) The MDPC code is defined by a parity-check matrix \(H \in \mathrm{F}_{2} \mathrm{n}\) of the i-th row \(h_{i}\) . With overwhelming probability, this matrix is of full rank, and the rightmost × block is always invertible after possibly swapping a few columns.

The BF Decoding Algorithm - Gallager proposed a BF decoding algorithm for the LDPC code [19]. According to the parity-check matrix of the QD-MDPC code, which has a larger density, the decision threshold \(T\) is set as \(M a x_{u p c}-\delta\) , where \(\delta\) is a small integer [20]. The number of iterations is reduced through an increase in the number of flipping bits per iteration, and thus the decoding complexity is reduced. The BF decoding algorithm is shown in Algorithm 1.

Algorithm 1 BF decoding algorithm

 

• The original McEliece cryptosystem

The first code-based cryptosystem was based on the Goppa code, proposed by McEliece [3] in 1978. A binary Goppa code is defined by a (irreducible) polynomial of degree t over \(\mathrm{F}_{2} \mathrm{m}\) . Corresponding to each such polynomial, there exists a binary Goppa code of length \(n=2^{m}\) , dimension \(k>n-m t\) , and minimum distance \(d=2 t+1\), where t is the number of errors correctable using an efficient decoding algorithm.

Key Generation. The public-key is\(G^{\prime}=S G P\), where G is a \(k \times n\) generator matrix for the Goppa code, S is a \(k \times k\) non-singular matrix, and P is an \(n \times n\) permutation matrix. In addition, the private keys are S, G, and P.

Encryption. First set a plaintext m, and then generate an error vector e, whose Hamming weight is at most t. Finally, compute \(c=m G^{\prime} \oplus \epsilon\) .

Decryption. First compute \(c P^{-1}=m S G \oplus e P^{-1}\) , and then compute \(m S=\varphi_{D}\left(c P^{-1}\right)\) , where is the decoding algorithm of the Goppa code. Finally, compute the plaintext \(m S S^{-1}=m\) .

2.2 DPA Attack [10]

A DPA attack is one of the most popular side channel attacks. The total energy consumption of a common CMOS circuit is mainly caused by a dynamic energy consumption, which is mainly related to the processing, which is the physical circuit basis of an energy attack.

The DPA attack includes two steps: waveform acquisition and data analysis. A waveform acquisition occurs on the hardware part; however, this article mainly uses the simulation software, and thus is mainly related to a data analysis, the detailed steps of which are as follows: (1) Decrypt different ciphertext N groups and measure the energy trace during the McEliece operation process \(\left\{P_{i} | 1 \leq i \leq N\right\}\).

(2) Select a bit of the output value of the attack point as a function D, with b indicating the bit value, called an intermediate value. It is easy to see that the value of b depends on key K and plaintext M, which can be indicated as \(D(K, M)\). The related value during an attack is then estimated to obtain the corresponding intermediate value. According to the intermediate value, the energy trace of N groups can be divided into two categories, \(S_{1}=\left\{P_{1} | D=1,1 \leq\right.i \leq N\} \text { and } S_{0}=\left\{P_{1} | D=0,1 \leq i \leq N\right\}\).

(3) The average power consumptions of sets \(S_{l}\) and \(S_{0}\) are calculated separately. The results are \(A_{1}=\frac{1}{s_{1}} \Sigma S_{1}(i) \text { and } A_{0}=\frac{1}{s_{0}} \Sigma S_{0}(i)\). Here, \(S_{l}\) and \(S_{0}\) indicate the number of energy traces corresponding to the collection \(\left|S_{1}\right|+\left|S_{0}\right|=N\) .

(4) The difference between them is \(T=A_{1}-A_{0}\). If the key is correctly estimated, and the classification of the energy traces is correct, that is, all traces of b = 1 point to \(S_{1}\), and the remaining traces of b = 0 are assigned to \(S_{0}\), an obvious peak occurs in the energy traces. If the key is not correct, the peak of T will be very small or no peak will occur.

• TVLA Test

A leakage assessment is the only method of detection, whose purpose is to find a potential side channel information leak of the cryptosystem. When a DPA attack model attacks a cryptosystem, it is mainly based on the side channel information. A leakage assessment mainly detects the existence of side channel information. This methodology is called a test vector leakage assessment (TVLA) [22].

A TVLA test is applied to verify the security of our McEliece cryptographic algorithm, and is successfully used in a first-order side-channel analysis [22]. For a high-order DPA attack, we also need to update the TVLA metric computation formula. A detailed description of how to modify the TVLA metric method for a high-order DPA attack has been provided [25].

The first byte of ciphertext c and the inverse matrix \(P^{-1}\) perform multiplications over F_2⁸, and the result of such a multiplication operation is used as an attack target. First, 100,000 energy traces are collected for the TVLA test, and each energy trace has 2,000 leakage points. These energy traces are then partitioned into two sets. Next, we compute the mean and standard deviation of each set [26]. The mean is marked as \(u_{1}\) and \(u_{0}\), and the standard deviation is marked as \(\sigma_{1}\) and \(\sigma_{0}\). Finally, the TVLA value is computed.

 

Fig. 1. TVLA test results

As shown in Fig. 1, the TVLA value exceeds the safe value (such as ±4.5 [26]). If any TVLA value in Fig. 1 does not exceed the security value, it means that the McEliece algorithm does not participate in the leakage associated with the key information.

3. McEliece Cryptosystem Based on QD-MDPC Code

In this section, we first construct the QD-MDPC code by compacting the public-key matrix of the MDPC code using a quasi-dyadic matrix. A McEliece cryptosystem based on the QD-MDPC code is then constructed.

3.1 Constructing QD-MDPC Code

We select a linear code with length \(n=2^{m}\) , dimension \(k=2^{m-1}\) , and co-dimension \(r=2^{m-1}\), where m denotes a positive integer. The parity-check matrix H over F_2ⁿ is shown in formula (2).

\(H=\left[H_{0}\left|H_{1}\right| \ldots | H_{n_{0}-1}\right]\)       (2)

where \(H_{n}\) is a dyadic matrix. We set \(h_{n}=\left(e_{0}, \dots, e_{r-1}\right) \in \mathrm{F}_{2^{n}}, n=0,1, \dots, n_{0}-1\), and then dyadic matrix \(H_{n}\) is as shown in formula (3).

\(H_{n}=\left(\begin{array}{ccc} {e_{0}} & {\cdots} & {e_{r-1}} \\ {\vdots} & {\ddots} & {\vdots} \\ {e_{r-1}} & {\cdots} & {e_{(r-1) \oplus(r-1)}} \end{array}\right)\)       (3)

We assume that \(H_{n_0-1}\) is a non-singular matrix. The generator matrix G can be denoted as \(G=[I | Q]\), where

\(Q=\left[\begin{array}{c} {\left(H_{n_{0}-1}^{-1} \cdot H_{0}\right)^{T}} \\ {\left(H_{n_{0}-1}^{-1} \cdot H_{1}\right)^{T}} \\ {\vdots} \\ {\left(H_{n_{0}-1}^{-1} \cdot H_{n_{0}-2}\right)^{T}} \end{array}\right]\)       (4)

and I denotes the identity matrix. Finally, a QD-MDPC code is constructed using the parity-check matrix H and the generator matrix G.

3.2 McEliece Cryptosystem Based on QD-MDPC Code

The novel McEliece cryptosystem is constructed as follows:

• Key Generation.

(1) Generate a parity-check matrix \(H \in \mathrm{F}_{2} r \times n\) of the QD-MDPC code, as described above.

(2) Generate its corresponding generator matrix \(G \in \mathrm{F}_{2} k \times n\) , as described above.

(3) Compute the public-key matrix \(G^{\prime}=S G P\) , where we randomly select a k-order non-singular matrix S and an n-order permutation matrix P, which are used to generate a complete public-key \(G^{\prime}\), and only the first line elements of \(G^{\prime}\) need to be stored.

The n-order permutation matrix P, k-order non-singular matrix S, and generator matrix G are private keys, and the matrix ′ is a public key.

• Encryption. To encrypt a plaintext \(m \in \mathrm{F}_{2} k\) into \(c \in \mathrm{F}_{2} n\) , the following are applied:

(1) Generate  \(e \in \mathrm{F}_{2} n\) of \(W(e)\) ≤ at random.

(2) Compute ciphertext  \(c=m G^{\prime} \oplus e\) .

• Decryption. To decrypt a ciphertext \(c \in \mathrm{F}_{2} n\) into \(m \in \mathrm{F}_{2} k\) , the following are applied:

(1) Compute \(c P^{-1}\) = \(m S G \oplus e P^{-1}\).

(2) Compute \(m S\) = \(\varphi_{H}\left(c P^{-1}\right)\) using the BF decoding algorithm.

(3) Compute plaintext \(m S S^{-1}=m\) .

3.3 Performance Analysis

(1) Security Analysis

Recently, the LDPC code was successfully cracked using the dual code attack (DCA) and information set decoding attack (ISDA) [6, 28]. Aiming at the problem of structural defects of the error-correcting code, both of the above attacks are the main methods of attack of a McEliece cryptosystem by searching for low-weight codewords [29]. The DCA attack method attempts to obtain a private key according to the public key, and then recover the plaintext. Meanwhile, the ISDA attack method attempts to decrypt the ciphertext directly. The following analysis will show that our McEliece can resist DCA and ISDA attacks.

• DCA Attack Analysis

The DCA attack method obtains a private-key according to the public key by searching for a low-weight codeword in the dual code of the QD-MDPC code. We give a parity-check matrix \(H^{\prime}\). Attackers can easily find the line weight of \(H^{\prime}\) according to the sparseness of its structure, and then decrypt the ciphertext. If the work factor (WF), namely, the time complexity of successfully attacking a cryptosystem, is greater, the public key cryptosystem based on the error-correcting code has more security. For the LDPC code, the WF of the DCA is heavily correlated with the line weight of \(H^{\prime}\), and does not have a significant correlation with code length n [20]. To allow the QD code to resist a DCA, we use the MDPC code to improve the QD code, and the QD-MDPC code then generates a parity-check matrix H that has a larger density. Thus, our code generates a more compact matrix G, and does not need to resist a DCA by increasing the length of the code, as with the LDPC code. It can be seen from the above that McEliece based on the QD-MDPC code can resist a DCA.

• ISDA Attack Analysis

Among the currently known attack methods, ISDA has the smallest WF. According to the encryption process \(c=m G^{\prime} \oplus e\) , and if public key \(G^{\prime}\) is known, attackers can restore k-bit plaintext m by intercepting n-bit ciphertext c. ISDA first obtains the following three parameters: the selection of (1) k-bits \(C_{k}\) from ciphertext c, (2) the corresponding k-bits \(e_{k}\) from error vector e, and (3) the corresponding k-order matrix  \(G_{k}^{\prime}\) from public key \(G^{\prime}\). It then computes \(c_{k}=m G_{\mathrm{k}}^{\prime} \oplus e_{k}\) . If \(G_{k}^{\prime}\) is a non-singular matrix, we set its inverse matrix as \(G_{k}^{\prime-1}\), and the attackers then compute \(m=\left(x_{k} \oplus e_{k}\right) G_{k}^{\prime-1}\) . If \(e_{k}=0\), attackers can easy obtain the plaintext \(m=x_{k} G_{k}^{\prime-1}\). Therefore, the WF of ISDA is associated with the error correcting vector e, and increases when the density of the error correcting vector e is added [20]. The MDPC code is compared with the LDPC code, and has a higher error correction capability.

McEliece based on the QD-MDPC code can increase the WF by increasing the density of error correcting vector e, which allows our algorithm to obtain a high level of security.

(2) Efficiency Analysis

This section demonstrates that our algorithm improves the efficiency of a McEliece cryptosystem based on the Goppa code in terms of the key size, bit rate, and encryption and decryption complexity.

• Key Size and Bit Rate According to the characteristics of a dyadic matrix, the first row of each dyadic sub-matrix can generate an entire quasi-dyadic matrix. In this paper, we take the finite field F₂⁸ as an example to analyze the efficiency of the novel McEliece cryptosystem. The size of a public key is 8 ∗ p, where p is taken from [2¹¹, 2¹⁴]. When p is changed, the change in key size is as shown in Fig. 2.

The key size of the original McEliece cryptosystem based on Goppa is 32,730 Bytes. If parameter p takes the maximum value in Fig. 2, the key size of our scheme is reduced by about 78 times when compared with the conventional schemes.

 

Fig. 2. Key size of the novel McEliece with the change in p

• Encryption Complexity

The complexity of the McEliece encryption includes the complexity of the key generation and encryption. In the process of key generation, we need to compute the inverse matrix \(H_{n_{0}-1}^{-1}\), and then obtain the public key G′. According to the dyadic characteristics of a block matrix, we use a fast algorithm to obtain the inverse matrix \(H_{n_{0}-1}^{-1}\) , which reduces the computational complexity. The encryption operations include a matrix multiplication and matrix addition.

As shown in Fig. 3, with the increase in the p value, the bit encryption requires binary operands, and an operand does not exceed 2,550 bytes in the novel McEliece encryption. Thus, our algorithm has less computational complexity compared with the conventional algorithms.

 

Fig. 3. Encryption complexity of novel McEliece

• Decryption Complexity

A decoding algorithm is the key to determining the decryption complexity. Currently, many decoding algorithms of error-correcting codes can be generally divided into two classes: 1) an algorithm with a strong error-correcting capability and high computational complexity, such as the sum product algorithm (SPA) [23], and 2) an algorithm with low computation complexity, such as the BF decoding algorithm. A comparative analysis between the BF and SPA decoding algorithms when used to decode our novel McEliece cryptosystem is shown in Fig. 4.

 

Fig. 4. Decryption complexity of novel McEliece

As shown in Fig. 4, the computational complexity of the SPA decoding algorithm is 5 to 6 times the computational complexity of the BF decoding algorithm. Thus, we use the BF decoding algorithm to decode the McEliece cryptosystem based on the QD-MDPC code.

4. Higher-Order Masking for McEliece Based on QD-MDPC Code

4.1 DPA Attack Analysis

An implementation of the McEliece cryptographic algorithm based on the QD-MDPC code includes a linear operation (XOR) and non-linear operation (multiplication over F₂n ). When the McEliece cryptographic algorithm based on the QD-MDPC code is applied to hardware devices, a linear operation cannot cause a leakage of information, but more energy will be consumed when carrying out a non-linear operation, and such energy consumption causes a leakage of key information. Thus, if an adversary implements a DPA attack, a non-linear operation faces high risks. A DPA attack analysis of McEliece based on the QD-MDPC algorithm is shown in Fig. 5.

In Fig. 5, the positions of AP1, AP2, and AP3 are non-linear operation parts of the algorithm, and thus these positions can easily reveal a private key if they suffer from a DPA attack.

 

Fig. 5. DPA attack positions for McEliece based on QD-MDPC code

4.2 Higher-Order Masking Scheme for McEliece based on QD-MDPC code

As described in Section 4.1, multiplication over \(\mathrm{F}_{2} \mathrm{n}\) of McEliece based on the QD-MDPC code algorithm is vulnerable to a DPA attack. To securely carry out a multiplication operation over \(\mathrm{F}_{2} \mathrm{n}\) , we propose a higher-order masking scheme according to the ISW security masking scheme.

Because the original ISW masking scheme [3] can only ensure the security of an XOR operation over finite field F₂, we first need to extend the original ISW masking scheme from finite fields F₂ to \(\mathrm{F}_{2} \mathrm{n}\) to guarantee the operational security of multiplication over finite field \(\mathrm{F}_{2} \mathrm{n}\)

• Extension of ISW Masking Scheme as Follows:

Step 1: A higher-order masking scheme for multiplication over \(\mathrm{F}_{2} \mathrm{n}\) (non-linear functions) is initialized as follows:

(1) We suppose that a and b are sensitive variables, such that \(a=\mathrm{g}(k)\) and \(b=\mathrm{h}(k)\) for two F₂-linear functions g and h, where k is a random number over \(\mathrm{F}_{2} \mathrm{n}\) .

(2) Data k is randomly split into \(\left(k_{i}\right)_{i}, 0 \leq i \leq d\) , which satisfies

\(\oplus_{i=0}^{d} g\left(k_{i}\right)=\oplus_{i=0}^{d} a_{i}\)and \(\oplus_{i=0}^{d} \mathrm{h}\left(k_{i}\right)=\oplus_{i=0}^{d} b_{i}\), where d denotes the security level, that is, the order of the DPA attack.

Step 2: Function f is defined from\(\mathrm{F}_{2} \mathrm{n} \oplus \mathrm{F}_{2} \mathrm{n} \rightarrow \mathrm{F}_{2} \mathrm{n}\) , following formula (5).

\(f(x, y)=\mathrm{h}(x) \odot \mathrm{g}(y) \oplus \mathrm{g}(x) \odot \mathrm{h}(y)\)       (5)

where x denotes the share k_i, y denotes the share k_j, and ⨀ denotes the multiplication over \(\mathrm{F}_{2} \mathrm{n}\) . According to formula (5), formula (6) is derived by introducing a random number k:

 \(v_{j, i}=a_{i} b_{j} \oplus a_{j} b_{i} \oplus v_{i, j}=v_{i, j} \oplus f\left(k_{i}, k_{j}\right)\)       (6)

where v_i.j , denotes a random number.

Step 3: f(k_i ,k_j ) cannot be directly computed because it will leak into two different shares of a and b at the same time. To avoid such a leakage, we use an additional fresh random value, denoted as \(v_{i, j}^{\prime}\), to split in the computation of f(k_i ,k_j ).

It can be determined whether the F₂ linearity of g and h implies the F₂ bilinearity of f. That is, for every x, y, r∈ \(\mathrm{F}_{2} \mathrm{n}\) , satisfies formula (7).

\(f(x, y)=f(x, y \oplus r) \oplus f(x, r)\)       (7)

To protect shares aj and bj, formula (8) is derived through formula (7).

\(v_{j, i}=\left(v_{i, j} \oplus f\left(k_{i}, k_{j} \oplus v_{i, j}^{\prime}\right)\right) \oplus f\left(k_{i}, v_{i, j}^{\prime}\right)\)       (8)

Step 4: To protect the shares a_i and b_j, and not increase the number of computations, we derive from formula (8) the expression for generating a random number in our scheme (formula (11)) based on formulas (9) and (10). The function w maps  \(\mathrm{F}_{2} n\) to \(\mathrm{F}_{2} n\) .

\(w(x)=h(x) \odot g(x)\)       (9)

where x denotes the share ki, and ⨀ denotes the multiplication over \(\mathrm{F}_{2} n\) . The F₂ linearity of g and h then implies the following relation between f and w. For every x, y ∈ \(\mathrm{F}_{2} n\) , satisfies formula (10).

\(f(x, y)=\mathrm{w}(x \oplus y) \oplus \mathrm{w}(x) \oplus \mathrm{w}(y)\)       (10)

We then obtain formula (11).

\(v_{j, i}=\left(\left(v_{i, j} \oplus \mathrm{w}\left(k_{i} \oplus v_{i, j}^{\prime} \oplus k_{j}\right)\right) \oplus \mathrm{w}\left(k_{i} \oplus v_{i, j}^{\prime}\right) \oplus \mathrm{w}\left(k_{j} \oplus v_{i, j}^{\prime}\right)\right) \oplus \mathrm{w}\left(v_{i, j}^{\prime}\right)\)        (11)

where the brackets indicate the order in which the operations are processed.

 

Fig. 6. Extension ISW masking scheme

Step 5: According to Fig. 6, each loop generates d random numbers to respectively ensure that the shares of a and b perform the multiplication over \(\mathrm{F}_{2} n\) , that is, \(z_{i}=z_{i} \oplus v_{i, 0} \oplus \ldots \oplus v_{i, i-1} \oplus v_{i, i+1} \oplus \ldots \oplus v_{i, d}\) .

The extension the ISW masking scheme is as shown in Fig. 6. We set the random array as \(v=\left\{v_{i, j} | 0 \leq i \leq d, 0 \leq j \leq d, i \neq j\right\}\), where \(v_{i, j}(i is generated by a random number generator, and \(v_{i, j}(i>j)\) is produced through the expression used to generate random numbers that we described earlier in this section. Next, we conduct a multiplication over \(\mathrm{F}_{2} n\) for the shares of a and b, and then obtain the result \(z_{i}=a_{i} \odot b_{i}\) . Finally, the result is used to XOR d random numbers in the inner loop. Note that d random numbers are independent of each other and are uniformly distributed. We compute \(\oplus_{i=0}^{d} z_{i}=z\) to remove the mask, and obtain the real value z.

A specific comparison between the extension of the ISW masking scheme and the original ISW masking scheme is shown in Table 1.

Table 1. Comparison and analysis of the schemes

 

In Table 1, we can see that the original ISW masking scheme mainly protects the logic AND gate, that is, the XOR operation over F₂ , and thus this scheme is unsuitable for protecting the OQ-MDPC McEliece algorithm over \(\mathrm{F}_{2} n\) . However, our extension of ISW masking scheme as shown above is constructed through defining the sensitive variables in the form of polynomial over \(\mathrm{F}_{2} n\) , so it can protect the multiplication over \(\mathrm{F}_{2} n\) , and allow the QD-MDPC McEliece algorithm to resist against a high-order DPA attack.

• Higher-Order Masking Scheme for McEliece based on QD-MDPC Code

According to the extension ISW masking scheme that we designed, a high-order masking scheme for McEliece based on the QD-MDPC code is proposed. We also need to consider the logic problem involved in the decryption process. The specific flow of McEliece based on the masking encryption algorithm of the QD-MDPC code is given in Algorithm 2.

Algorithm 2 A higher-order masking encryption algorithm for McEliece based on QD-MDPC code

 

The specific flow of McEliece based on the masking decryption algorithm of the QD-MDPC code is given in Algorithm 3.

Algorithm 3 A higher-order masking decryption algorithm for McEliece based on QD-MDPC code  

 

4.3 Security Analysis

A typical higher-order masking scheme (that is, a d-order masking scheme) must satisfy both of the following characteristics to ensure its integrity and security [21]:

(1) Authenticity: Every tuple of d or less intermediate variables must be independent of any sensitive variables.

(2) Integrity: At the end of the computation, the sum of the d shares must yield the expected ciphertext (and more generally, each masked transformation must result in a set of shares whose sum equals the correct intermediate result).

4.3.1 Authenticity Analysis for Masking Scheme

The security analysis of the masking scheme is based primarily on the following assumption: If the masked intermediate variables do not have a dependency on the real intermediate variables, the energy consumption of the masked intermediate variables do not have a dependency on the real intermediate variables. Therefore, when the assumption does not hold, our masking scheme is vulnerable to a DPA attack. We use the lemma of the security proof on the intermediate variables proposed by Blomer and Canright to analyze the security of our masking scheme [24, 27]. The masking scheme theoretically has high-order security if all masked intermediate variables generated from our masking scheme satisfy the following lemmas.

Lemma 1 [24]. For any \(u \in \mathrm{F}_{2} n\) , if \(r \in \mathrm{F}_{2}^{n}\) in the collection \(\left\{0,1, \ldots, 2^{n}-1\right\}\) obeys a uniform distribution and is independent of u, z= u⨁r also satisfies a uniform distribution.

Lemma 2 [24]. For any u, u′ ∈ \(\mathrm{F}_{2} n\) , if r, r′ ∈ \(\mathrm{F}_{2} n\) in the collection \(\left\{0,1, \ldots, 2^{n}-1\right\}\) obey a uniform distribution and are independent of u and u′ , Z= ( u⨁r )( u′⨁ r′) also satisfies formula (12).

\(\operatorname{Pr}(Z=i)=\left\{\begin{array}{ll} {\frac{2^{n+1}-1}{2^{2 n}}} & {\text { if } i=0} \\ {\frac{2^{n}-1}{2^{2 n}}} & {\text { if } i \neq 0} \end{array}\right.\)       (12)

This is called a random multiplication distribution.

Lemma 3 [27]. For any u∈ \(\mathrm{F}_{2} n\) that obeys a uniform distribution, if \(\mathrm{F}_{2} n\) has a bijective function from \(\mathrm{F}_{2} n\) → \(\mathrm{F}_{2} n\) , y = f(u) also obeys a uniform distribution.

Now, we use Lemmas 1, 2, and 3 to prove that our masking scheme is secure.

Theorem 1 [27]. If \(u=\left\{u_{1}, u_{2}, \ldots, u_{2 n}\right\} \in \mathrm{F}_{2}^{n}\) obeys a uniform distribution, the two half subsets of u, \(y_{1}=\left[u_{1}, u_{2}, \ldots, u_{n}\right]\) and \(y_{2}=\left[u_{n+1}, u_{n+2}, \ldots, u_{2 n}\right]\) are independent of each other and are uniformly distributed.

(1) We suppose that, in our designed masking scheme, the random masks , \(v_{i, j} \stackrel{\$}{\leftarrow} \mathrm{F}_{2^{n}}\) and , \(v_{i, j}^{\prime} \stackrel{\$}{\leftarrow} \mathrm{F}_{2^{n}}\) all obey a uniform distribution, and are independent of sensitive variables a and b and shares (0 ≤ i ≤ d ). According to Lemma 1, we obtain \(\left(k_{i} \oplus v_{i, j}^{\prime}\right) \oplus k_{j}\) , where \(k_{i} \oplus v_{i, j}^{\prime}\) and \(k_{j} \oplus v_{i, j}^{\prime}\) , ′ both obey a uniform distribution in formula (11). Because g(∗) and h(∗) are linear functions, that is, a bijective function, according to Lemma 3, formula (9) is substituted into formula (11) to obtain \(\mathrm{h}\left(k_{i} \oplus v_{i, j}^{\prime} \oplus k_{j}\right), \mathrm{g}\left(k_{i} \oplus v_{i, j}^{\prime} \oplus k_{j}\right), \mathrm{h}\left(k_{i} \oplus v_{i, j}^{\prime}\right), \mathrm{g}\left(k_{i} \oplus v_{i, j}^{\prime}\right)\) ,\(\mathrm{h}\left(k_{j} \oplus v_{i, j}^{\prime}\right), \mathrm{g}\left(k_{j} \oplus v_{i, j}^{\prime}\right), h\left(v_{i, j}^{\prime}\right), \text { and } \mathrm{g}\left(v_{i, j}^{\prime}\right)\) , which also obey a uniform distribution. Therefore, according to Lemma 2, we obtain w( \(k_{i} \oplus v_{i, j}^{\prime} \oplus k_{i}\) ), w( \(k_{i} \oplus v_{i, j}^{\prime}\) ), and w\(\left(k_{j} \oplus v_{i, j}^{\prime}\right)\) , which all obey a uniformly distribution in formula (11). Finally, according to Lemma 1, v_i,j (0 ≤j

(2) It can be seen from the above discussion that all random numbers \(v_{i, j}\) obey a uniform distribution over \(\mathrm{F}_{2} \mathrm{n}\) , and are independent of the result of \(z_{i}=a_{i} \odot b_{i}\) . Then, d v_i,j are used to respectively protect the result z_i, that is, \(z_{i}=z_{i} \oplus v_{i, 0} \oplus \ldots \oplus v_{i, i-1} \oplus v_{i, i+1} \oplus \ldots \oplus v_{i, d}\) . Thus, according to Lemma 1, the outputs ( z₀, z₁, … ,z _d−1,z_d ) of the higher-order masking scheme obey a uniform distribution, and are independent of each other.

Therefore, attackers can apply a statistical analysis on any d masked intermediate values and cannot obtain the relevant information of the private key. It can be theoretically proven that the higher-order masking scheme described in Section 4.2 has high-order security.

4.3.2 Integrity Analysis of Masking Scheme

This section verifies the completeness of our masking scheme using a counter-evidence method. The specific analysis process is as follows:

We assume that the mask removal operation is incorrect, that is, \(z \neq z_{0} \oplus z_{1} \oplus \ldots \oplus z_{d}\) . Because the results of formula (11) and formula (6) are the same, a hypothetical condition is derived for formula (13).

\(\begin{aligned} \mathrm{z} \neq &\left(a_{0} b_{0} \oplus v_{0,1} \oplus v_{0,2} \oplus \ldots \oplus v_{0, d}\right) \oplus \ldots \oplus\left(a_{d} b_{d} \oplus v_{d, 0} \oplus v_{d, 1} \oplus \ldots \oplus v_{d, d-1}\right) \\ \quad & \neq\left(a_{0} b_{0} \oplus v_{0,1} \oplus v_{0,2} \oplus \ldots \oplus v_{0, d}\right) \oplus \ldots \oplus\left(a_{d} b_{d} \oplus v_{0, d} \oplus f\left(k_{0}, k_{d}\right) \oplus v_{1 . d} \oplus\right.\\ &\left.f\left(k_{1}, k_{d}\right) \oplus \ldots \oplus v_{d-1, d} \oplus f\left(k_{d-1}, k_{d}\right)\right) \end{aligned}\)       (13)

Formula (13) is then used to derive formula (14) through formula (5).

\(\begin{aligned} \mathrm{z} \neq &\left(a_{0} b_{0} \oplus v_{0,1} \oplus v_{0,2} \oplus \ldots \oplus v_{0, d}\right) \oplus \ldots \oplus\left(a_{d} b_{d} \oplus v_{0, d} \oplus a_{0} b_{d} \oplus a_{d} b_{0} \oplus v_{1, d} \oplus\right.\\ &\left.a_{1} b_{d} \oplus a_{d} b_{1} \oplus \ldots \oplus v_{d-1, d} \oplus a_{d-1} b_{d} \oplus a_{d} b_{d-1}\right) \\ & \neq\left(a_{0} \oplus a_{1} \oplus \ldots \oplus a_{d}\right)\left(b_{0} \oplus b_{1} \oplus \ldots \oplus b_{d}\right) \end{aligned}\)        (14)

Because  \(a=a_{0} \oplus a_{1} \oplus \ldots \oplus a_{d}\)  and \(b=b_{0} \oplus b_{1} \oplus \ldots \oplus b_{d}\) both hold, \(\left(a_{0} \oplus a_{1} \oplus \ldots \oplus a_{d}\right)\left(b_{0} \oplus b_{1} \oplus \ldots \oplus b_{d}\right)=a b=z\)  also holds. Finally, in this section it can be concluded that the hypothetical condition is incorrect. That is, the higher-order masking scheme has completeness.

5. Side Channel Attack Experiment

5.1 Experiment Environment

 

Fig. 7. Simulation experiment environment

In the experiment, the following devices were used: an FPGA board, high-definition sampling oscilloscope, USB Blaster Altera tool, 1 Ω resistance, constant voltage DC electric source, USB connection cable, high-sensitivity current probe, and a PC. The PC configuration was as follows: an Intel Core i5-7300HQ@2.50 GHz CPU, with a 64-bit Windows 7 operating system. We used Verilog in Quartus II 13.0 software to edit the McEliece based on the QD-MDPC code, the MATLAB power analysis program, the Serial Port Utility software, and BenchVue.

Our target is the output of the multiplication over \(\mathrm{F}_{2} \mathrm{n}\) in the matrix multiplication, because this section involves all bytes of a private key in the McEliece encryption algorithm. We conducted comparative single-group experiments, as described in this section. McEliece based on the encryption algorithm of the QD-MDPC code without masking protection is compared with our scheme. The above verifies the effectiveness of McEliece resisting against a DPA attack based on the masking algorithm of the QD-MDPC code. The experiment environment is as shown in Fig. 7.

5.2 Setup of DPA Attack for McEliece based on QD-MDPC code

The experimental environment described in this section contains two parts: a combinational logic module (McEliece algorithm) and a control module. Overall, the control module controls the start to the end of the encryption/decryption process and the data storage. Here, the parameters of the QD-MDPC code are set to n = 128, k = 64, and t = 49.

(1) To supply electricity to the FPGA board, the voltage of the constant voltage DC electric source is adjusted to 5 V. The positive electrode of the electric source in the FPGA chip is in-series with a 1 Ω resistor. A high-definition sampling oscilloscope probe is used to collect the changes in voltage on the 1 Ω resistor.

(2) The PC is connected to the high-definition sampling oscilloscope to obtain the collected energy traces through the configuration of the Ethernet interface.

(3) The PC is connected to the FPGA board through the USB Blaster Altera tool, and at the same time its USB interface is connected to the serial port of the board. We use the Serial Port Utility software to transmit the ciphertext and decryption signal. In the McEliece encryption algorithm, we set a set trigger signal. When the McEliece encryption algorithm runs the computation process of the matrix multiplication, it is pulled high to drive that the oscilloscope measures the energy consumption of the section. Mainly using the probe, the oscilloscope measures the voltage of the sample resistor. In this experiment, all multiplications over F_2⁸ are selected as attack points in the process of computing cP⁻¹ = mSG⨁eP⁻¹.

(4) After the McEliece algorithm has been executed, the PC receives plaintext m from the board, and obtains the collected energy traces from the oscilloscope, which is stored in a local file.

(5) The PC uses the MATLAB power analysis program to conduct the correlation analysis of the leak points of all energy traces. According to the results of the correlation analysis, we found that some points more easily leak the key information. Finally, we obtain the results of the DPA attack.

5.3 Attack Results

For McEliece based on the QD-MDPC McEliece encryption algorithm with our masking scheme protection, we first use the real inverse matrix P^-1 (It is 0xDD123456789⋯⋯), which is fed into the decryption engine. The oscilloscope then collects the actual energy traces for the attack point. A total of 1,000,000 energy traces are collected, and each energy trace only has 2,000 leakage points.

According to the steps described in Section 5.2 and the principles of the DPA attack described in Section 2.2, we run the MATLAB power analysis program to conduct a correlation analysis for the leak points of all energy traces. The purpose is to find the leak points that easily leak the key information. This type of leak point is expressed as an obvious peak in Fig. 8.

 

Fig. 8. Results of correlation analysis on first key byte

 

Fig. 9. Results of second-order DPA attack for first key byte

As shown in Fig. 8, leak points that are more vulnerable to a DPA attack do not exist. That is, there are no obvious peaks in Fig. 8. Then, a second-order DPA attack model (d = 2) analyzes the leak points of all energy traces. Finally, the result of the DPA attack is shown in Fig. 9. If a second-order DPA attack is successful, there will be an obvious peak at 0xDD of the abscissa.

Therefore, the second-order DPA attack model does not successfully attack McEliece based on the QD-MDPC code masking scheme, that is, the red part (key = 0x34) of the waveform is not the correct key value.

Next, we use the third-order DPA attack model to attack McEliece based on the McEliece masking cryptographic algorithm of the QD-MDPC code. Because the required energy traces from the first-order DPA attack model to the third-order DPA attack model will continuously increase, in this experiment, 100,000,000 energy traces are collected. We run the MATLAB power analysis program to conduct the correlation analysis for the leak points of all energy traces. The results of the correlation analysis are shown in Fig. 10.  

 

Fig. 10. Results of correlation analysis on first key byte

 

Fig. 11. Results of third-order DPA attack for first key byte

Fig. 10 does not show an obvious peak. Then, McEliece based on the masking cryptographic algorithm of the QD-MDPC code, which is realized in hardware, is attacked using a third-order DPA attack model (d = 3). The results of the DPA attack are shown in Fig. 11. At 0xDD of the abscissa, the absolute value of the corresponding difference coefficient is not the largest. Thus, the third-order DPA attack is not successful.

5.4 Comparative Results of the Experiment

For McEliece based on the QD-MDPC code encryption algorithm without a masking scheme protection, we use the real inverse matrix P^-1 (It is 0xDD123456789⋯⋯) to collect 60,000 actual energy traces. The remaining parameters are set exactly the same as those described in Section 5.3. The results of the correlation analysis are shown in Fig. 12.

 

Fig. 12. Results of correlation analysis on first key byte

There are many obvious peaks in Fig. 12, and these leak points are more vulnerable to a leak of the key information. Finally, a first-order DPA (d = 1) model attacks the interval [1, 125]. The results of the DPA attack are shown in Fig. 13. At 0xDD of the abscissa, the absolute value of the corresponding difference coefficient is the largest. Thus, the first-order DPA model is effective for the McEliece algorithm, and is realized in hardware.

 

Fig. 13. Results of first-order DPA attack for first key byte

5.5 Comparison and Analysis of Attack Results

The DPA attack model described in Sections 5.4 and 5.5 was used to analyze the security of the McEliece algorithm. The attack results are shown in Table 2.

Table 2. Comparison and analysis of attack results

 

According to Table 2, we found that McEliece based on the QD-MDPC code, which is realized in hardware, cannot defend against a first-order DPA attack. Attackers can easily obtain the first byte 0xDD of the private-key inverse matrix P-1 in 1,500 s. However, for McEliece based on the QD-MDPC code with our masking scheme protection, we analyze 1,000,000 energy traces without obtaining the correct key value. Even when 100,000,000 energy traces are analyzed, our proposed scheme can still defend against a high-order DPA attack.

We conduct a logic synthesis and apply a circuit design for the McEliece encryption algorithm with and without our masking scheme protection under the FPGA platform.

Table 3. Comparison of algorithmic circuit design

 

According to Table 3, under the same frequency, the complexity of McEliece based on the cryptographic scheme of the QD-MDPC code, which is based on higher-order masking, increases by about 20.8% in the area of hardware implementation. Two reasons can explain this problem: our scheme needs to update the mask and apply higher-order protection on the multiplication over \(\mathrm{F}_{2} \mathrm{n}\) . In addition, because our scheme has these logical units, it will inevitably lead to a decrease in throughput.

However, it can be concluded that the higher-order masking scheme designed in this study can allow McEliece based on the QD-MDPC code to defend against high-order DPA attacks.

Moreover, the performance of the algorithm has not been significantly reduced, and can still meet the performance requirements of its field of application.

6. Conclusion

In this paper, we presented a McEliece algorithm based on the cryptographic scheme of the QD-MDPC code, which is based on higher-order masking. The design of our scheme can be divided into two parts. First, we construct a QD-MDPC code to solve the problem in which Goppa McEliece has a huge key size. We then design a higher-order masking scheme by constructing an extension of the ISW masking scheme. The scheme allows McEliece based on the encryption algorithm of the QD-MDPC code, which is realized in hardware, to defend against high-order DPA attacks. An analysis shows that McEliece based on the QD-MDPC code is about 78 times higher than Goppa McEliece in terms of the key size, and has a lower encryption and decryption complexity. Meanwhile, a security analysis shows that McEliece based on the QD-MDPC code can resist structural and decoding attacks, and that a higher-order masking scheme has higher security. Finally, side-channel attack experiment shows that the McEliece masking cryptographic algorithm, which is realized in hardware, can defend against a high-order DPA attack. Our scheme consumes fewer resources, and is suitable for devices with little memory and weak communication capacity.

Recently, many statistical analysis methods have been gradually applied to a DPA attack model, such as a correlation power analysis. In particular, a power analysis technique can also be combined with other attack techniques. This new type of attack technology [30] achieves a higher success rate for attacking the McEliece cryptographic algorithm. Thus, how to resist against such attacks will become a significant challenge.