Classic McEliece 的旁通道分析：在 Cortex-M4 上的優 化和評估

Abstract

Classic McEliece 是由 Robert J. McEliece 於1978年設計的公鑰加密方案。它以其對抗量子電腦的攻擊能力而聞名，因此在後量子密碼學中廣受青睞。然而，最近對旁通道分析的研究揭示出，在未應用遮罩保護的情況下，Classic McEliece 容易受到旁通道攻擊。 為了解決這個弱點，通常會使用算術遮罩作為軟體保護技術。然而，在實際應用中，算術遮罩的軟體實現會帶來顯著的負擔。在我們的實現中，我們提出了一個有效且最優的仿射遮罩Classic McEliece 加法快速傅立葉變換（FFT）實現，適用於在STM32F407/STM32F40715 Discovery開發板上的ARM Cortex-M4處理器。我們還使用Test Vector Leakage Techniques（TVLA）來評估其安全性。 我們的方法實現了高水平的安全性，因為t統計值保持在4.5個標準偏差的閾值以下。這意味著洩漏的信息無法被檢測出來，確保有效抵禦旁通道攻擊。

Classic McEliece is a public-key encryption scheme designed by Robert J. McEliece in 1978. It is well-known for its resistance to attacks by quantum computers, making it a popular choice for post-quantum cryptography. However, recent studies on side-channel analysis have revealed that Classic McEliece is vulnerable to side-channel attacks when no masking protection is applied. To address this vulnerability, arithmetic masking is commonly employed as a software protection technique. Nevertheless, in practice, a software implementation of arithmetic masked Classic McEliece incurs significant overhead. In our implementation, we present an efficient and optimal affine masked Classic McEliece additive Fast Fourier Transform (FFT) implementation for the ARM Cortex-M4 on the STM32F407/STM32F40715 Discovery board (a common Cortex-M4 board). We also evaluate its security using TVLA (Test Vector Leakage Techniques). Our approach achieves a high level of security, as the t-statistic value remains below the threshold of 4.5 standard deviations. This implies that leaked information cannot be detected, ensuring robust protection against side-channel attacks.