{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,11]],"date-time":"2025-09-11T19:06:36Z","timestamp":1757617596629,"version":"3.44.0"},"reference-count":30,"publisher":"Springer Science and Business Media LLC","issue":"7","license":[{"start":{"date-parts":[[2025,3,7]],"date-time":"2025-03-07T00:00:00Z","timestamp":1741305600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,3,7]],"date-time":"2025-03-07T00:00:00Z","timestamp":1741305600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Federal Ministry of Education and Research of Germany","award":["16KISK002","16KISK002"],"award-info":[{"award-number":["16KISK002","16KISK002"]}]},{"DOI":"10.13039\/501100005713","name":"Technische Universit\u00e4t M\u00fcnchen","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100005713","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Des. Codes Cryptogr."],"published-print":{"date-parts":[[2025,7]]},"abstract":"Abstract<\/jats:title>\n We study the hardness of the Syndrome Decoding problem, the base of most code-based cryptographic schemes, such as Classic McEliece, in the presence of side-channel information. We use ChipWhisperer equipment to perform a template attack on Classic McEliece running on an ARM Cortex-M4, and accurately classify the Hamming weights of consecutive 32-bit blocks of the secret error vector \n \n $$\\textbf{e}\\in {{\\mathbb {F}}}_2^n$$<\/jats:tex-math>\n \n \n e<\/mml:mi>\n \u2208<\/mml:mo>\n \n F<\/mml:mi>\n 2<\/mml:mn>\n n<\/mml:mi>\n <\/mml:msubsup>\n <\/mml:mrow>\n <\/mml:math>\n <\/jats:alternatives>\n <\/jats:inline-formula>. With these weights at hand, we optimize Information Set Decoding algorithms. Technically, we demonstrate how to speed up information set decoding via a dimension reduction, additional parity-check equations, and an improved information set search, all derived from the Hamming-weight information. Consequently, using our template attack, we can practically recover an error vector \n \n $$\\textbf{e}\\in {{\\mathbb {F}}}_2^n$$<\/jats:tex-math>\n \n \n e<\/mml:mi>\n \u2208<\/mml:mo>\n \n F<\/mml:mi>\n 2<\/mml:mn>\n n<\/mml:mi>\n <\/mml:msubsup>\n <\/mml:mrow>\n <\/mml:math>\n <\/jats:alternatives>\n <\/jats:inline-formula> in dimension \n \n $$n=2197$$<\/jats:tex-math>\n \n \n n<\/mml:mi>\n =<\/mml:mo>\n 2197<\/mml:mn>\n <\/mml:mrow>\n <\/mml:math>\n <\/jats:alternatives>\n <\/jats:inline-formula> in a matter of seconds. Without side-channel information, such an instance has a complexity of around 88 bit. We also estimate how our template attack affects the security of the proposed McEliece parameter sets. Roughly speaking, even an error-prone leak of our Hamming weight information leads for \n \n $$n=3488$$<\/jats:tex-math>\n \n \n n<\/mml:mi>\n =<\/mml:mo>\n 3488<\/mml:mn>\n <\/mml:mrow>\n <\/mml:math>\n <\/jats:alternatives>\n <\/jats:inline-formula> to a security drop of 89 bits.<\/jats:p>","DOI":"10.1007\/s10623-025-01603-1","type":"journal-article","created":{"date-parts":[[2025,3,7]],"date-time":"2025-03-07T02:04:59Z","timestamp":1741313099000},"page":"2503-2519","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["How to lose some weight: a practical template syndrome decoding attack"],"prefix":"10.1007","volume":"93","author":[{"given":"Sebastian","family":"Bitzer","sequence":"first","affiliation":[]},{"given":"Jeroen","family":"Delvaux","sequence":"additional","affiliation":[]},{"given":"Elena","family":"Kirshanova","sequence":"additional","affiliation":[]},{"given":"Sebastian","family":"Maa\u00dfen","sequence":"additional","affiliation":[]},{"given":"Alexander","family":"May","sequence":"additional","affiliation":[]},{"given":"Antonia","family":"Wachter-Zeh","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,3,7]]},"reference":[{"key":"1603_CR1","doi-asserted-by":"crossref","unstructured":"Al Jabri A.: A statistical decoding algorithm for general linear block codes. In: Honary B. (ed.) 8th IMA International Conference on Cryptography and Coding, vol. 2260, pp. 1\u20138. LNCS. Springer, Hedeilberg (2001).","DOI":"10.1007\/3-540-45325-3_1"},{"key":"1603_CR2","unstructured":"Albrecht M.R., Bernstein D.J., Chou T., Cid C., Gilcher J., Lange T., Maram V., von Maurich I., Misoczki R., Niederhagen R., Paterson K.G., Persichetti E., Peters C., Schwabe P., Sendrier N., Szefer J., Tjhai C.J., Tomlinson M., Wang W.: Classic McEliece: conservative code-based cryptography (2020). https:\/\/classic.mceliece.org\/nist\/mceliece-20201010.pdf."},{"key":"1603_CR3","unstructured":"Aragon N., Lavauzelle J., Lequesne M.: decodingchallenge.org (2019). http:\/\/decodingchallenge.org."},{"key":"1603_CR4","unstructured":"Aragon, N., Barreto, P.L., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J.-C., Gaborit, P., Ghosh, S., Gueron, S., Guneysu, T., Melchor, C.A., Misoczki, R., Persichetti, E., Richter-Brockmann, J., Sendrier, N., Tillich, J.-P., Valentin, V., Z\u00e9mor, G.: BIKE \u2014 Bit Flipping Key Encapsulation (2023). https:\/\/bikesuite.org\/."},{"key":"1603_CR5","doi-asserted-by":"crossref","unstructured":"Augot D., Finiasz M., Sendrier N.: A family of fast syndrome based cryptographic hash functions. In: Progress in Cryptology\u2014Mycrypt 2005, pp. 64\u201383 (2005).","DOI":"10.1007\/11554868_6"},{"key":"1603_CR6","doi-asserted-by":"crossref","unstructured":"Bitzer S., Delvaux J., Kirshanova E., Maaben S., May A., Bitzer A.W.-Z.S., Delvaux J., Kirshanova E., Maaben, S., May A., Wachter-Zeh A.: Practical Template Syndrome Decoding Attack. GitHub repository. https:\/\/github.com\/ChuTriel\/TemplateISD (2024).","DOI":"10.1007\/s10623-025-01603-1"},{"key":"1603_CR7","doi-asserted-by":"crossref","unstructured":"Brier E., Clavier C., Olivier F.: Correlation power analysis with a leakage model. In: 6th International Workshop on Cryptographic Hardware and Embedded Systems (CHES 2004), pp. 16\u201329. Springer (2004).","DOI":"10.1007\/978-3-540-28632-5_2"},{"key":"1603_CR8","doi-asserted-by":"publisher","unstructured":"Carrier K., Debris-Alazard T., Meyer-Hilfiger C., Tillich J.-P.: Statistical decoding 2.0: Reducing decoding to LPN. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT\u00a02022, Part\u00a0IV. LNCS, vol. 13794, pp. 477\u2013507. Springer, Heidelberg (2022).https:\/\/doi.org\/10.1007\/978-3-031-22972-5_17.","DOI":"10.1007\/978-3-031-22972-5_17"},{"key":"1603_CR9","doi-asserted-by":"publisher","unstructured":"Chari S., Rao J.R., Rohatgi P.: Template attacks. In: Kaliski B.S. Jr., Ko\u00e7 \u00c7.K. Paar C. (eds.) CHES\u00a02002. LNCS, vol. 2523, pp. 13\u201328. Springer, Heidelberg (2003).https:\/\/doi.org\/10.1007\/3-540-36400-5_3","DOI":"10.1007\/3-540-36400-5_3"},{"key":"1603_CR10","unstructured":"Chen M.-S., Chou T.: Classic McEliece implementation for ARM-Cortex M4 (2022). https:\/\/github.com\/pqcryptotw\/mceliece-arm-m4\/blob\/main\/pqm4-projects\/crypto_kem\/mceliece348864\/ches2021\/decrypt_n3488_t64.c. commit f2a699dd480f9f91d566eb4b910fd4e51e3bdc91."},{"key":"1603_CR11","doi-asserted-by":"publisher","unstructured":"Chen M.-S., Chou T.: Classic McEliece on the ARM cortex-M4. IACR TCHES 2021(3), 125\u2013148 (2021). https:\/\/doi.org\/10.46586\/tches.v2021.i3.125-148 . https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/view\/8970.","DOI":"10.46586\/tches.v2021.i3.125-148"},{"key":"1603_CR12","doi-asserted-by":"crossref","unstructured":"Chen C., Eisenbarth T., Von Maurich I., Steinwandt R.: Masking large keys in hardware: a masked implementation of McEliece. In: Dunkelman O., Keliher L. (eds.) Selected Areas in Cryptography\u2014SAC 2015, pp. 293\u2013309. Springer, Cham (2016).","DOI":"10.1007\/978-3-319-31301-6_18"},{"key":"1603_CR13","doi-asserted-by":"crossref","unstructured":"Ducas L., Esser A., Etinski S., Kirshanova E.: Asymptotics and improvements of sieving for codes. In: Advances in Cryptology\u2014EUROCRYPT 2024, pp. 151\u2013180. Springer, Berlin (2024).","DOI":"10.1007\/978-3-031-58754-2_6"},{"key":"1603_CR14","unstructured":"Dumer I.: On minimum distance decoding of linear codes. In: Proc. 5th Joint Soviet-Swedish Int. Workshop Inform. Theory, pp. 50\u201352, Moscow (1991)."},{"key":"1603_CR15","doi-asserted-by":"crossref","unstructured":"Esser A., May A., Zweydinger F.: McEliece needs a break\u2014solving McEliece-1284 and quasi-cyclic-2918 with modern ISD. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 433\u2013457. Springer (2022).","DOI":"10.1007\/978-3-031-07082-2_16"},{"key":"1603_CR16","doi-asserted-by":"publisher","unstructured":"Esser A., May A., Zweydinger F.: McEliece needs a break\u2014solving McEliece-1284 and quasi-cyclic-2918 with modern ISD. In: Dunkelman O., Dziembowski,S. (eds.) EUROCRYPT\u00a02022, Part\u00a0III. LNCS, vol. 13277, pp. 433\u2013457. Springer, Heidelberg (2022).https:\/\/doi.org\/10.1007\/978-3-031-07082-2_16.","DOI":"10.1007\/978-3-031-07082-2_16"},{"key":"1603_CR17","doi-asserted-by":"crossref","unstructured":"Esser A., Santini P.: Not just regular decoding: asymptotics and improvements of regular syndrome decoding attacks. In: Advances in Cryptology\u2014CRYPTO 2024, pp. 183\u2013217. Springer, Berlin (2024)","DOI":"10.1007\/978-3-031-68391-6_6"},{"key":"1603_CR18","doi-asserted-by":"crossref","unstructured":"Esser A., Verbel J., Zweydinger F., Bellini E.: CryptographicEstimators\u2014a software library for cryptographic hardness estimation. In: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, pp. 560\u2013574 (2024).","DOI":"10.1145\/3634737.3645007"},{"key":"1603_CR19","doi-asserted-by":"crossref","unstructured":"Finiasz M., Sendrier N.: Security bounds for the design of code-based cryptosystems. In: Advances in Cryptology\u2014ASIACRYPT 2009: 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, 6\u201310 December 2009. Proceedings 15, pp. 88\u2013105. Springer, Berlin (2009).","DOI":"10.1007\/978-3-642-10366-7_6"},{"key":"1603_CR20","doi-asserted-by":"crossref","unstructured":"Gan P., Ravi P., Raj K., Baksi A., Chattopadhyay A.: Classic McEliece hardware implementation with enhanced side-channel and fault resistance. Cryptology ePrint Archive (2024).","DOI":"10.36227\/techrxiv.171925242.26878384\/v1"},{"key":"1603_CR21","doi-asserted-by":"crossref","unstructured":"Grosso V., Cayrel P.-L., Colombier B., Dr\u0103goi V.-F.: Punctured syndrome decoding problem: Efficient side-channel attacks against classic McEliece. In: International Workshop on Constructive Side-Channel Analysis and Secure Design, pp. 170\u2013192. Springer, Cham (2023).","DOI":"10.1007\/978-3-031-29497-6_9"},{"issue":"11","key":"1603_CR22","doi-asserted-by":"publisher","first-page":"8303","DOI":"10.1109\/TIT.2024.3457150","volume":"70","author":"Q Guo","year":"2024","unstructured":"Guo Q., Johansson T., Nguyen V.: A new sieving-style information-set decoding algorithm. IEEE Trans. Inf. Theory 70(11), 8303\u20138319 (2024).","journal-title":"IEEE Trans. Inf. Theory"},{"key":"1603_CR23","doi-asserted-by":"crossref","unstructured":"Horlemann A.-L., Puchinger S., Renner J., Schamberger T., Wachter-Zeh A.: Information-Set Decoding with Hints. In: Code-Based Cryptography, pp. 60\u201383. Springer, Cham (2022).","DOI":"10.1007\/978-3-030-98365-9_4"},{"key":"1603_CR24","doi-asserted-by":"publisher","unstructured":"Lahr N., Niederhagen R., Petri R., Samardjiska S.: Side channel information set decoding using iterative chunking - plaintext recovery from the \u201cclassic McEliece\u201d hardware reference implementation. In: Moriai S., Wang H. (eds.) ASIACRYPT\u00a02020, Part\u00a0I. LNCS, vol. 12491, pp. 881\u2013910. Springer, Heidelberg (2020). https:\/\/doi.org\/10.1007\/978-3-030-64837-4_29.","DOI":"10.1007\/978-3-030-64837-4_29"},{"key":"1603_CR25","doi-asserted-by":"publisher","unstructured":"May A., Meurer A., Thomae E.: Decoding random linear codes in $$\\tilde{\\cal{O}}(2^{0.054n})$$. In: Lee D.H., Wang X. (eds.) ASIACRYPT\u00a02011. LNCS, vol. 7073, pp. 107\u2013124. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-25385-0_6.","DOI":"10.1007\/978-3-642-25385-0_6"},{"key":"1603_CR26","unstructured":"Melchor C.A., Aragon N., Bettaieb S., Bidoux L., Blazy O., Bos J., Deneuville J.-C., Dion A., Gaborit P., Lacan J., Persichetti E., Robert J.-M., V\u00e9ron P., Z\u00e9mor G.: Hamming quasi-cyclic (HQC) (2023). https:\/\/pqc-hqc.org\/."},{"issue":"3","key":"1603_CR27","doi-asserted-by":"publisher","first-page":"241","DOI":"10.1587\/transfun.2022CIP0023","volume":"106","author":"S Narisada","year":"2023","unstructured":"Narisada S., Fukushima K., Kiyomoto S.: Multiparallel MMT: faster ISD algorithm solving high-dimensional syndrome decoding problem. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 106(3), 241\u2013252 (2023).","journal-title":"IEICE Trans. Fundam. Electron. Commun. Comput. Sci."},{"issue":"5","key":"1603_CR28","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1109\/TIT.1962.1057777","volume":"8","author":"E Prange","year":"1962","unstructured":"Prange E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5\u20139 (1962).","journal-title":"IRE Trans. Inf. Theory"},{"key":"1603_CR29","doi-asserted-by":"crossref","unstructured":"Standaert F.: How (not) to use Welch\u2019s t-test in side-channel security evaluations. In: Bilgin B., Fischer J. (eds.) 17th Conference on Smart Card Research and Advanced Applications (CARDIS 2018), vol. 11389, pp. 65\u201379. Lecture Notes in Computer Science. Springer, Cham (2018).","DOI":"10.1007\/978-3-030-15462-2_5"},{"key":"1603_CR30","doi-asserted-by":"crossref","unstructured":"Stern J.: A method for finding codewords of small weight. In: Coding Theory and Applications, pp. 106\u2013113. Springer, New York (1989).","DOI":"10.1007\/BFb0019850"}],"container-title":["Designs, Codes and Cryptography"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10623-025-01603-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10623-025-01603-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10623-025-01603-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,6]],"date-time":"2025-09-06T07:33:24Z","timestamp":1757144004000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10623-025-01603-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,3,7]]},"references-count":30,"journal-issue":{"issue":"7","published-print":{"date-parts":[[2025,7]]}},"alternative-id":["1603"],"URL":"https:\/\/doi.org\/10.1007\/s10623-025-01603-1","relation":{},"ISSN":["0925-1022","1573-7586"],"issn-type":[{"type":"print","value":"0925-1022"},{"type":"electronic","value":"1573-7586"}],"subject":[],"published":{"date-parts":[[2025,3,7]]},"assertion":[{"value":"15 September 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"20 January 2025","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"21 February 2025","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"7 March 2025","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}