Don’t Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE

Well before large-scale quantum computers will be available, traditional cryptosystems must transitioned to post-quantum (PQ) secure schemes. The NIST PQC competition aims standardize suitable cryptographic Candidates are evaluated not only on their formal security strengths, but also judged based the with regard resistance against side-channel attacks. Although round 3 candidates have already been intensively vetted such attacks, one important attack vector has hitherto missed: PQ schemes often rely rejection sampling techniques obtain pseudorandomness from a specific distribution. In this paper, we reveal that routines seeded secretdependent information and leak timing result in practical key recovery attacks code-based encapsulation mechanisms HQC BIKE.Both BIKE selected as alternate third of competition, which puts them track for getting standardized separately o finalists. They specifically hardened constant-time decoders avoid However, show novel vulnerabilities both schemes: (1) Our secret requiresonly approx. 866,000 idealized decapsulation oracle queries 128-bit setting. It is structurally different previously identified scheme: Previously, exploitable leakages BCH decoder submitted version, ciphertext check well pseudorandom function Fujisaki-Okamoto transformation. contrast, our uses fact routine invoked during deterministic re-encryption leaks secret-dependent information, can efficiently exploited recover when instantiated (now constant-time) decoder, RMRS current submission. (2) From constant weight word sampler decapsulation, demonstrate how distinguish whether decoding step successful or not, distinguisher then used framework GJS derive distance spectrum key, using 5.8 x 107 queries. We provide details analyses fully implemented discussion possible countermeasures limits.