A fault attack on the Niederreiter cryptosystem using binary irreducible Goppa codes

A fault injection framework for the decryption algorithm of the Niederreiter public-key cryptosystem using binary irreducible Goppa codes and classical decoding techniques is described. In particular, we obtain low-degree polynomial equations in parts of the secret key. For the resulting system of polynomial equations, we present an efficient solving strategy and show how to extend certain solutions to alternative secret keys. We also provide estimates for the expected number of required fault injections, apply the framework to state-of-the-art security levels, and propose countermeasures against this type of fault attack.


Introduction
Many established public-key cryptosystems rely on the hardness of the factorization problem or the discrete logarithm problem. However, their long-term security is not guaranteed, because they can be broken in polynomial time using sufficiently large quantum-computers [22]. This motivates the need for post-quantum cryptosystems. One of the oldest public-key cryptosystems is the McEliece cryptosystem [17] which was designed to be used by NASA. However, partly due to its large public-key sizes, it was never standardized. The security of the McEliece cryptosystem relies on the hardness of the decoding problem for random linear codes [19].
The Niederreiter cryptosystem is a variant of the McEliece cryptosystem which offers some improvements as to the costs of encryption and decryption and requires smaller publickey sizes [18]. Particularly promising variants are based on the problem of decoding binary Goppa codes [7].
For some special subclasses of Goppa codes, namely quasi-dyadic and quasi-cyclic Goppa codes, there exist successful algebraic attacks which take advantage of the particular structure of the code [9]. But apart from these subclasses, binary (irreducible) Goppa codes still appear to resist structural attacks. The best known algorithms for decoding arbitrary linear codes use information set decoding, and their running time is still exponential [16].
Structural attacks on the Niederreiter and McEliece cryptosystems have been widely researched. However, their side-channel analysis is not quite as advanced. In general, any additional source of information that can be derived from a specific hardware or software implementation of a cryptosystem, or even its execution, may be considered a side-channel. Clearly, side-channel attacks have to be measured by their practical feasibility. Passive side-channel analysis is frequently based on power-analysis of hardware devices or timings of the execution of certain parts of the encryption or decryption algorithms.
In this paper we consider a type of active side-channel attacks called fault attacks. In particular, we assume that we are able to inject an error into the usual flow of the algorithms of the cryptosystem by corrupting the contents of specific memory cells at a particular moment. Common methods of achieving such a fault injection are manipulations of the power supply and the usage of pulsed laser or ion beams. The usability of a fault attack depends chiefly on the fault model which describes the required physical capabilities of the attacker.
For the Niederreiter and McEliece cryptosystems, there exist successful passive sidechannel attacks [2,21,23,24] which exploit traditional side-channels, such as timing and power consumption attacks. For active side-channel attacks such as fault attacks, much less seems to be known. We found only the article [6] which analyses the sensitivity of these cryptosystems to fault injections in the encryption and key generation algorithms.
However, the most natural target for a fault attack at a public-key cryptosystem is the decryption algorithm, because it uses the secret key whose knowledge would allow us to completely break the system. In fact, it suffices to find an alternative key, i.e., a key which also allows us to decrypt ciphertexts. The current paper is a first attempt at constructing such fault attacks. Our target class of cryptosystems are Niederreiter cryptosystems based on binary irreducible Goppa codes. We call them briefly BIG-N cryptosystems. The attack is based on the following fault model: (1) The decryption algorithm follows the standard pattern: first the error locator polynomial is computed, and then it is evaluated at the support elements to deduce the plaintext. (2) The decryption algorithm not only reconstructs plaintext units of weight t, the designed distance, but also illegal plaintexts p, i.e., plaintexts of weight 1 ≤ wt(p) < t. (3) After the error-locator polynomial has been computed, we are able to inject a uniformly random fault into a chosen coefficient of this polynomial, i.e., we are able to replace it by a random bit-tuple. Moreover, we assume that we are able to repeat these injections hundreds or even several thousand times. The resulting BIG-N fault attack breaks all state-of-the-art security levels [4], even "long term" secure ones, within minutes. Consequently, we suggest explicit countermeasures for hardware-or software-implementations of BIG-N cryptosystems.
Feasibility and Applicability. Let us briefly discuss the practical applicability and relevance of the new fault attack. As we shall see in Section 7, for carrying out the actual fault injections, we need to hit the register holding a certain 10-13 bit wide coefficient at a specified point in time. Using modern equipment, this is a mild requirement (see for instance [12] and [5]).
Thus it seems more pertinent to discuss the vulnerability of current cryptographic BIG-N schemes to the proposed attacks. Looking through the NIST Post-Quantum Standardization candidates, there are three original submissions based on Goppa codes: "BIG Quake" which is vulnerable to our attack, "Classic McEliece", and "NTS-KEM". The latter two are actually Vol. 12: 1   A FAULT ATTACK ON THE BIG-N CRYPTOSYSTEM  2:3 key exchange systems where the key cannot be chosen freely, and for the random vector a hash value is transmitted. This is clearly a setting in which the current attack does not apply directly. However, the reference implementation [27] for the BIG-N part of the schemes is not protected against the attack. Furthermore, the other published reference implementations [10] and [11] of the BIG-N cryptosystem use constant weight encoders and decoders whose standard implementation is also vulnerable. Thus, although it may not be very difficult to defend against, apparently all current implementations and applications of the BIG-N cryptosystem are vulnerable to the BIG-N fault attack.
Contents. Let us describe the structure of the paper in more detail. After recalling some basic facts about binary Goppa codes and BIG-N cryptosystems in Sections 2 and 3, we present a BIG-N fault attack framework in Section 4. In particular, we analyze the assumptions underlying the attack carefully and propose countermeasures. Then we introduce the general framework for the fault attack: we assume that we are able to replace the error locator polynomial σ e (x) by an erroneous one of the formσ e (x) = εx d + σ e (x) where ε ∈ F 2 m is distributed uniformly at random and d is the chosen degree under attack.
In Section 5 we analyze the resulting equations for the components of the support vector α = (α 1 , . . . , α n ) of the binary Goppa code in two particular cases: we attack the constant and the quadratic coefficient of σ e (x). From a successful constant injection we derive a linear equation for the components of α, and from a successful quadratic injection we get a linear or a quadratic equation. However, this typically requires a sequence of injections until we succeed in obtaining an erroneously deciphered word of weight two.
The next steps are taken in Section 6 where we combine the acquired linear and quadratic equations into a fault equation system and then carry out the actual BIG-N fault attack in three steps: Firstly, we solve the fault equation system and get a set of support candidates. Secondly, using the fact that it suffices to find the support and the Goppa polynomial of a larger binary Goppa code containing the publicly known one, we determine a support candidate which can be extended. Finally, we use this alternative secret key to break the given BIG-N cryptosystem.
In the final section we offer some experiments and timings for the BIG-N fault attack. In particular, we provide estimates for the average numbers of constant and quadratic fault injections needed to succeed. Moreover, we collect the timings for breaking various security levels, ranging from one minute for "short term" 60-bit security to about 25 minutes for "long term" 266-bit security.

Binary Goppa Codes
For starters, let us recall the definition of a binary Goppa code. By F 2 m we denote the finite field having 2 m elements. We also fix the following notation: given a tuple c = (c 1 , . . . , c n ) ∈ F n 2 , we let I c := {i ∈ {1, . . . , n} | c i = 1}. Definition 2.1. Let m, t, n ∈ N + such that mt < n ≤ 2 m . (a) A tuple α = (α 1 , . . . , α n ) ∈ F n 2 m such that α i = α j for i = j will be called a support tuple.
with deg(g) = t and g(α i ) = 0 for i ∈ {1, . . . , n} is called a Goppa polynomial for the support tuple α. (c) The (binary) Goppa code with the generating pair (α, g) is given by In particular, if g is an irreducible polynomial, then Γ(α, g) is called an irreducible Goppa code.
Remark 2.2. For a Goppa code C = Γ(α, g) and for c = (c 1 , . . . , c n ) ∈ F n 2 , we have Remark 2.3. Given a Goppa code C = Γ(α, g) it is well-known that a parity-check matrix H ∈ Mat mt×n (F 2 ) of C can be obtained from the matrix . . , n, by replacing each entry of H by a column of m bits that arise by fixing an F 2 -basis of F 2 m .
From here on, let C = Γ(α, g) be a binary Goppa code with parameters m, t, n ∈ N + as described above, and let H ∈ Mat mt,n (F 2 ) be a parity-check matrix of C . Forc ∈ F n 2 , we call sc =cH tr ∈ F mt 2 the syndrome ofc with respect to H . Then we havec ∈ C if and only ifcH tr = 0.
It is known that dim C ≥ n−mt and that the minimal distance of C satisfies d min (C) ≥ t. If C is irreducible, we even have C = Γ(α, g 2 ) and d min (C) ≥ 2t. Hence, in general, up to t 2 errors can be corrected, and if C is irreducible, even up to t errors can be corrected uniquely.
Since we are going to use it extensively, let us briefly recall the classical syndrome decoding method for binary Goppa codes.

Remark 2.4. (Sydrome Decoding for Goppa Codes)
Consider a received wordc = c + e ∈ F n 2 with c ∈ C and e ∈ F n 2 . Then we define the error-locator polynomial by and the syndrome polynomial ofc = (c 1 , . . . ,c n ) ∈ F n 2 by Then we have s e (x) ≡ sc(x) mod g(x), and we obtain the key equation Let us write g(x) = g t x t + · · · + g 1 x + g 0 with g 0 , . . . , g t ∈ F 2 m . Using the same F 2basis of F 2 m as in Remark 2.3, we combine sequences of m entries in the syndrome sc =cH tr = eH tr ∈ F mt 2 and getŝ ∈ F t 2 m . Now the coefficients of the syndrome polynomial sc(x) can be computed by a simple multiplication ofŝ ∈ F t 2 m with the matrix Hence it is sufficient to solve the key equation for the error-locator polynomial σ e (x). Then the zeros of σ e (x) determine the error vector e ∈ F n 2 via the oberservation that, for i ∈ {1, . . . , n}, we have e i = 1 if and only if σ e (α i ) = 0. Finally, we decodec to c =c + e.
The main task in this method is to solve the key equation. This can be done in several ways, for instance explicitly using the Sugiyama-Algorithm [25], or implicitly using the Berlekamp-Massey Algorithm [3,15]. As shown in [8], one may consider these two algorithms as essentially equivalent. For a binary irreducible Goppa code C , up to t errors can be corrected using the Patterson Algorithm [20] which also uses the key equation to obtain the error-locator polynomial. Independently of the chosen method, decoding consists of the following three basic steps.

Algorithm 2.5. (The Syndrome Decoding Algorithm)
Let C = Γ(α, g) ⊆ F n 2 be a binary Goppa code, where α = (α 1 , . . . , α n ) ∈ F n 2 m and g ∈ F 2 m [x], and let t = deg(g). Let H ∈ Mat mt×n (F 2 ) be a parity check matrix of C obtained as in Remark 2.3, and let sc =cH tr = 0 be the syndrome of a given received word c ∈ F n \ C . We assume thatc is of the formc = c + e with c ∈ C and e ∈ F n 2 such that #I e ≤ t 2 (or #I e ≤ t, if C is irreducible). Then we compute e ∈ F n 2 from sc using the following steps.

BIG-N Cryptosystems
In this section we introduce Niederreiter cryptosystems using binary irreducible Goppa codes (see [18]) and recall some of their basic properties. Subsequently, we write W n,t for the set of all elements v ∈ F n 2 of Hamming weight t, i.e., such that wt(v) = #I v = t. Definition 3.1. (BIG-N Cryptosystems) A Niederreiter cryptosystem using a binary irreducible Goppa code C (BIG-N cryptosystem) with parameters m, t, n ∈ N + such that mt < n ≤ 2 m is represented by a tuple (K sec , K pub , P, C, encr, decr) consisting of the following parts. (a) The tuple K sec = (S, H, P, α, g), where H ∈ Mat mt×n (F 2 ) is a parity check matrix of the irreducible Goppa code C = Γ(α, g) with deg(g) = t and dimension n − mt, where P ∈ Mat n (F 2 ) is a permutation matrix, and where S ∈ GL mt (F 2 ), is called the secret key.
(b) The tuple K pub = (m, t, n, H pub ), where m, t, n are the parameters of C , and where H pub = S · H · P ∈ Mat mt,n (F 2 ), is called the public key. The matrix H pub is also called the public parity check matrix. (c) The set P = W n,t is called the plaintext space, and an element p ∈ P is called a plaintext unit. (d) The set C = {pH tr pub | p ∈ P} is called the ciphertext space, and an element c ∈ C is called a ciphertext unit. (e) The map encr : P −→ C given by encr(p) = pH tr pub is called the encryption map. (f) The map decr : C −→ P given by decr(c) = γ(c · (S tr ) −1 ) · (P tr ) −1 is called the decryption map. Here the map γ : F mt 2 −→ F n 2 satisfies γ(e H tr ) = e for all e ∈ W n,t and is a syndrome decoding algorithm which corrects up to t errors.
In particular, notice that we have decr(encr(p)) = p for all p ∈ P . Indeed, for a plaintext unit p ∈ P and its ciphertext c = encr(p) = pH tr pub , we have wt(pP tr ) = wt(p) = t, and therefore γ(c (S tr ) −1 ) = γ((p P tr )H tr ) = p P tr . Hence we get decr(c) = p, as claimed.
A BIG-N cryptosystem is a public-key cryptosystem, i.e., the encryption map encr can be computed solely using the public key K pub , but the application of the decryption map decr requires the knowledge of the secret key K sec . The cryptosystem (K sec , K pub , P, C, encr, decr) is considered broken if one can efficiently compute a fast alternative decryption map decr : C −→ P which satisfies decr (encr(p)) = p for all p ∈ P . If, for an alternative decryption map decr , there exists a secret key K sec such that (K sec , K pub , P, C, encr, decr ) is a BIG-N cryptosystem, then K sec is called an alternative secret key.
In the following we let m, t, n ∈ N + such that mt < n ≤ 2 m , we let C = Γ(α, g) be an irreducible Goppa code with these parameters, and we let (K pub , K sec , P, C, encr, decr) be a BIG-N cryptosystem using C . Moreover, we fix an F 2 -basis of F 2 m and use it to convert elements of F 2 m to m-tuples of bits and vice versa.

Remark 3.2. (Simplified BIG-N Cryptosystems)
In the above setting, let H ∈ Mat mt,n (F 2 ) be the parity check matrix for C obtained as in Remark 2.3, and let P ∈ Mat n (F 2 ) be the permutation matrix contained in the secret key. Then we defineα := α · P ∈ F n 2 m andC = Γ(α, g). Clearly, alsoC is a binary irreducible Goppa code, and the matrixH := H · P is a parity check matrix forC which has the shape described in Remark 2.3.
Since the public parity check matrix satisfies H pub = S ·H , an alternative secret key for the original cryptosystem is given by (S,H, I n ,α, g), where I n is the identity matrix of size n. Consequently, we may use the Goppa codeC instead of C and get rid of the permutation matrix P as part of the secret key.
From here on we use secret keys of the form K sec = (S, H, α, g) and simplify all BIG-N cryptosystems accordingly. Notice that the code defined by the public parity check matrix H pub of the simplified cryptosystem is now equal to C and continues to be publicly known.
In view of the preceding section, we know that a BIG-N cryptosystem is broken if an efficient t-error correcting algorithm is found for the Goppa code C . The next algorithm shows that this requirement can be weakened even further.

Algorithm 3.3. (An Alternative Decryption Algorithm)
Consider a BIG-N cryptosystem (K sec , K pub , P, C, encr, decr) using the Goppa code C = Γ(α, g) and having the public key K pub = (m, t, n, H pub ). Assume that there exist a support tupleα ∈ F n 2 m and a Goppa polynomialg ∈ F 2 m [x] forα such thatt := deg(g) ≥ 2t and C ⊆C := Γ(α,g). Given a ciphertext unit c ∈ C , consider the following sequence of instructions.
(3) Computec = cS tr and apply the syndrome decoding algorithm ofC toc. Return the resulting tuple p. This is an algorithm which computes a plaintext unit p ∈ P such that we have encr(p) = c.
Proof. First notice that C ⊆C ⊥ impliesC ⊥ ⊆ C ⊥ . Since the rows ofH generateC ⊥ and the rows of H pub generate C ⊥ , it follows that there exists a matrixS ∈ Mat mt,mt (F 2 ) such thatS · H pub =H , and this matrix can computed in step (2). Furthermore, the input for Algorithm 2.5 in step (3) is correct, because c = encr(p) for some p ∈ P , and thereforec = cS tr = p H tr pubS tr = pH tr is a syndrome of weight wt(p) = t with respect toH . Consequently, the algorithm can be executed.
Its finiteness is clear. Its correctness follows from the fact that Algorithm 2.5 corrects up to deg(g) 2 =t 2 ≥ t = wt(p) errors, and hence determines p ∈ P correctly.
In view of this algorithm, it is clear that a BIG-N cryptosystem using the code C = Γ(α, g) is broken if a generating pair (α,g) for a binary Goppa code is found such that deg(g) ≥ 2t and such that C ⊆C = Γ(α,g). Therefore such a pair (α,g) will be called an alternative secret pair.

The BIG-N Fault Injection Framework
In this section we let m, t, n ∈ N + such that mt < n ≤ 2 m , we let C = Γ(α, g) be a binary irreducible Goppa code with these parameters, and we let (K pub , K sec , P, C, encr, decr) be a BIG-N cryptosystem using C . Moreover, we write K pub = (m, t, n, H pub ) for the public key and K sec = (S, H, α, g) for the secret key. Using Remark 3.2, we assume that H pub = S · H . Recall that we let I p = {i ∈ {1, . . . , n} | p i = 1} for p = (p 1 , . . . , p n ) ∈ F n 2 . In order to mount the proposed fault attack, we require that the implementation of the decryption map decr satisfies three assumptions. They are motivated by the following usual implementation which is based on the classical syndrome decoding method of Algorithm 2.5. Input: a ciphertext unit c = encr(p) ∈ C , the secret key K sec = (S, H, α, g) Output: a plaintext unit p ∈ P 1: Compute the syndrome s = c(S tr ) −1 ∈ F mt 2 with respect to H . 2: Compute the syndrome polynomial s p (x). 3: Compute the error-locator polynomial σ p (x). 4: Determine p = (p 1 , . . . , p n ) ∈ P by setting p i = 1 if σ p (α i ) = 0 and p i = 0 otherwise. 5: return p In view of this algorithm, the following assumption seems natural.
Assumption 4.2. The implementation of the decryption map decr makes use of the errorlocator polynomial in such a way that it is first computed explicitly, then evaluated at the support elements, and finally the resulting plaintext unit is returned. Next we let p ∈ F n 2 with 0 < wt(p) < t and c = p H tr pub . Since Algorithm 4.1 is based on the Syndrome Decoding Algorithm 2.5, and since syndrome decoding corrects up to t errors, applying this algorithm to c will correctly return p. Hence we make the following assumption.
and let c = pH tr pub . If we apply the decryption map decr to c, it returns p.
In order to be able to inject a fault into the decryption process, we require one final assumption.
and let c = p H tr pub . After the error-locator polynomial σ p (x) has been computed during the decryption process of c, we assume that we can inject a uniformly random fault into the d-th coefficient of σ p (x). In other words, we assume that we may replace σ p (x) by a polynomialσ p (x) = εx d + σ p (x) where ε ∈ F 2 m is chosen uniformly at random.
As a testimony to the applicability of these assumptions, consider the hardware implementation described in [27]. It follows the steps of Algorithm 4.1, and after σ p (x) has been computed, this polynomial is transferred to the evaluation module by sending m(t + 1) bits, where each m-bit subtuple represents one of coefficients of σ p (x). This transfer process is suited for an injection of a (uniformly distributed) random error ε ∈ F 2 m into the d-th coefficient of σ p (x). From a hardware point of view, it corresponds to randomly changing the state of m chosen consecutive bits.
Every implementation of the decryption map that satisfies these assumptions is vulnerable to the following fault injection framework.

Algorithm 4.5. (The BIG-N Fault Injection Framework)
For a BIG-N cryptosystem (K sec , K pub , C, P, encr, decr) as above, assume that the implementation of the decryption map decr satisfies Assumptions 4.2, 4.3, and 4.4. Choose a word p ∈ F n 2 with 0 < wt(p) ≤ t and a number d ∈ N with d < t. Then consider the following sequence of instructions.
(1) Compute c = pH tr pub ∈ F mt 2 . (2) Start the decryption algorithm decr with input c ∈ F mt 2 and inject a uniformly random , the output of the faulty decryption of step (2). This is an algorithm which returns a tuplep = (p 1 , . . . ,p n ) ∈ F n 2 such that, for i ∈ {1, . . . , n}, Proof. By Assumption 4.3, the decryption algorithm is correct for all syndromes c = p H tr pub with p ∈ F n 2 and 0 < wt(p) ≤ t. In combination with Assumption 4.2, this means that in the course of the decryption algorithm, the error-locator polynomial σ p (x) is computed correctly. By Assumption 4.2, the outputp = (p 1 , . . . ,p n ) ∈ F n 2 satisfiesp i = 1 if and only ifσ p (α i ) = 0. Since we haveσ p (x) = εx d + σ p (x) and σ p (x) = i∈Ip (x − α i ), the claim follows. In the setting of this framework, we call the triple (p, d,p) a BIG-N fault injection in degree d. We also say that this injection uses the fault ε. The possibility to perform BIG-N fault injections can be prevented as follows.  Proof. First we prove (a). Assuming that wt(p) > wt(p), we have to show ε = 0. Considering the way in whichp is determined by the zeros ofσ p (x), we see that deg(σ p (x)) ≥ wt(p). Since wt(p) = deg(σ p (x)), we get deg(σ p (x)) > deg(σ p (x)), and hence ε = 0.
To show (b), we consider two cases. In the case ε = 0, we clearly have I p = Ip and thus p =p. It remains to examine the case ε = 0. For a contradiction, assume that #(I p ∩ Ip) ≥ 2. Let j 1 , j 2 ∈ I p ∩ Ip with j 1 = j 2 . Then εx d =σ p (x) − σ p (x) has the distinct zeros α j 1 and α j 2 . This is a contradiction to the fact that εx d has no two distinct zeros. Consequently, we get #(I p ∩ Ip) ≤ 1.
Finally, we prove (c). Let ε = 0. To show the implication "⇒", we note that α i is a zero ofσ p (x) and of σ p (x). Hence α i is a zero ofσ p (x) − σ p (x) = εx d . As ε = 0, this implies α i = 0 and d > 0. Now we show the reverse implication "⇐". Since α i = 0 is a zero of σ p (x), we have x | σ p (x), and thus x | εx d + σ p (x) =σ p (x). Consequently, α i is a zero ofσ p (x), and we get i ∈ Ip . Thus we have i ∈ I p ∩ Ip , and (b) says that either p =p or I p ∩ Ip = {i}. In the second case, we are already done. So, assume that p =p. Then we deduce that, for all j ∈ I p = Ip , the element α j is a zero of both σ p (x) andσ p (x). Hence α j is a zero of σ p (x) − σ p (x) = εx d for all j ∈ I p = Ip . Thus we have α j = 0 for all j ∈ I p , and since the elements α 1 , . . . , α n are pairwise distinct, we must have #(I p ∩ Ip) = 1, as claimed.
From a BIG-N fault injection one can derive polynomial equations in the unknown support α, as the next remark explains.
Remark 4.8. Let (p, d,p) be a BIG-N fault injection using the fault ε ∈ F 2 m , and assume that wt(p) ≥ 2. Choosing i, j ∈ Ip with i = j , we obtain Therefore the tuple (α 1 , . . . , α n ) is a zero of the polynomial in F 2 m [x 1 , . . . , x n ]. Of course, using multiple BIG-N fault injections, we can generate a polynomial system which has (α 1 , . . . , α n ) as one of its F 2 m -rational solutions. Notice that each polynomial has degree d + wt(p) and involves either wt(p) + 1 or wt(p) + 2 indeterminates. Moreover, from one fault injection we obtain wt(p) 2 polynomials, and we have wt(p) ≤ deg(σ p ) ≤ max(wt(p), d). Therefore we should choose both d and wt(p) small, so that the polynomial system contains only small degree polynomials in relatively few indeterminates. But note that then only a few equations can be obtained from each injection, and hence we have to perform a large number of fault injections in order to obtain a polynomial system that involves all indeterminates.
In the next section we present two specific BIG-N fault injection classes which allow us to obtain equations of degree even lower than d + wt(p). In particular, we will see how to generate linear and quadratic equations in merely a few indeterminates.

Constant and Quadratic Fault Injection Sequences
In this section we construct algorithms which repeatedly perform BIG-N fault injections until we obtain a linear or quadratic polynomial satisfied by the support tuple (α 1 , . . . , α n ). We continue to use the setting of the preceding section: let (K sec , K pub , C, P, encr, decr) be a BIG-N cryptosystem, and assume that the decryption map decr satisfies Assumptions 4.2, 4.3, and 4.4. For i = 1, . . . , n, let e (i) denote the i-th standard basis vector of F n 2 . Subsequently, we are mainly interested in the following types of fault injections. The term successful is adequately chosen, as the following proposition shows.
Part (a) of this proposition can now be exploited for a fault injection sequence algorithm which finds a linear equation for (α 1 , . . . , α n ), if it terminates.
(1) Perform a BIG-N fault injection for the word p = e (i 1 ) + e (i 2 ) in degree zero, and let p ∈ F n 2 be its output. (2) If wt(p) = 2 andp = p, then write Ip = {j 1 , j 2 }, return the polynomial and stop. Otherwise, continue with (1). This is a Las Vegas algorithm, i.e., it may not terminate, but if it does terminate, then it returns a linear polynomial f ∈ F 2 m [x 1 , . . . , x n ] such that f (α 1 , . . . , α n ) = 0.
Proof. To prove correctness, it suffices to note that, if the algorithm stops in step (2), Proposition 5.2.a can be applied and yields α i 1 + α i 2 = α j 1 + α j 2 .
Naturally, the question arises how many faults have to be injected on average until this algorithms stops. It turns out that in the case n = 2 m the precise number is given by  Table 2 for a selection of parameters (see Section 7).
(1) Perform a BIG-N fault injection for the word p = e (i) in degree 2, and letp ∈ F n 2 be its output.
Again, it is not clear how many fault injections are typically required for one execution of the algorithm. In the case n = 2 m , it turns out that on average 2 m 2 m−1 −1 ≈ 2 faults need to be injected if α i = 0, and otherwise 2 m 2 m −1 ≈ 1 faults are required. For the general setting n ≤ 2 m , estimates for this number can be found in Table 2 (see Section 7).

The BIG-N Fault Attack
In this section we first derive some simplifications of the systems of polynomial equations we obtain by performing constant and quadratic fault injection sequences (see Algorithms 5.3 and 5.4). After that we present a strategy to determine all solutions of such a system. Finally, we explain how one can check whether they can be extended to an alternative secret pair. To begin with, consider the following property of Goppa codes. Proposition 6.1. Let α ∈ F n 2 m be a support tuple, let g ∈ F 2 m [x] be a Goppa polynomial for α, and let a ∈ F 2 m \ {0}. Then we have Proof. For c ∈ Γ(α, g), we let η c,α (x) = i∈Ic j∈Ic\{i} (x − α j ). By Remark 2.2, we have g | η c,α . By applying the ring homomorphism Ψ a : Thus Ψ a (g) | η c,a·α , and using Remark 2.2 we see that c ∈ Γ(a · α, Ψ a (g)). Therefore we have Γ(α, g) ⊆ Γ(a · α, g(a −1 · x)).
In the following we fix a BIG-N cryptosystem (K sec , K pub , C, P, encr, decr) and use the notation introduced in the preceding sections.  {(a 1 , . . . , a n ) ∈ F n 2 m | f (a 1 , . . . , a n ) = 0 for all f ∈ L} we denote the zero set of L in F 2 m . Now we consider the set S L = {(a 1 , . . . , a n ) ∈ Z F 2 m (L) | a i = a j for i = j} Since every f ∈ L results from Algorithms 5.3 or 5.4, we have f (α 1 , . . . , α n ) = 0, and since α = (α 1 , . . . , α n ) is a support tuple, we even get α ∈ S L .
Notice that the polynomials in L are homogeneous. Hence the set L generates a homogeneous ideal in F 2 m [x 1 , . . . , x n ]. Consequently, for (a 1 , . . . , a n ) ∈ S L and b ∈ F 2 m \{0} we also have (ba 1 , . . . , ba n ) ∈ S L . In view of Proposition 6.1 and the fact that g(x) is irreducible if and only if g(b −1 · x) is irreducible, we can therefore assume without loss of generality that one non-zero support element α i with i ∈ {1, . . . , n} is chosen arbitrarily to be 1.
This means that we may choose an index i ∈ {1, . . . , n} for which we know that α i = 0. Then we consider the dehomogenization of L with respect to the indeterminate x i , i.e., we add the polynomial x i − 1 to L. To determine such an index we can use a quadratic fault injection sequence. Clearly, it is best to choose the indeterminate that occurs most frequently in the polynomials of L, in order to simplify the fault equations system as much as possible.
In view of this remark, we are led to the following definitions. Definition 6.3. Let C = Γ(α, g) be a binary irreducible Goppa code, and let (K sec , K pub , P, C, encr, decr) be a BIG-N cryptosystem which uses C .
the support candidate set of L, and every element (a 1 , . . . , a n ) ∈ S L is called a support candidate of L.
Given a fault equation system L, Remark 6.2 shows that we may assume α ∈ S L . Hence the task of finding α is reduced to solving a suitable fault equation system. In view of Algorithm 3.3, we may reduce this task further. Definition 6.4. Let C = Γ(α, g) be a binary Goppa code, letα ∈ F n 2 m be a support tuple, and let u ∈ N + . (a) A Goppa polynomialg ∈ F 2 m [x] forα with C ⊆ Γ(α,g) and deg(g) = u is called a degree-u extension ofα with respect to C . (b) A support tupleα is called degree-u extendable to C if there exists a degree-u extension ofα with respect to C . If the code C is clear from the context, it may also be omitted. Remark 6.5. As explained at the end of Section 3, one can apply Algorithm 3.3 to break a BIG-N cryptosystem which uses a binary Goppa code C = Γ(α, g) with deg(g) = t as follows: Find a support tupleα ∈ F n 2 m and a Goppa polynomialg ∈ F 2 m [x] with deg(g) = u ≥ 2t such thatg is a degree-u extension ofα with respect to C . This is the reason why (α,g) is called an alternative secret pair.
In order to find such a support tupleα ∈ F n 2 m , we generate a fault equation system L ⊆ F 2 m [x 1 , . . . , x n ] using constant and quadratic fault injection sequences. Note that C = Γ(α, g 2 ) and α ∈ S L imply that at least one degree-2t extendable support candidate can be found in S L .
Based on these observations, we now perform a BIG-N fault attack which is based on the following three steps: Firstly, we compute the support candidate set S L of a fault equation system L. Secondly, we determine a degree-u extendable support candidateα ∈ S L with u ≥ 2t and its corresponding extension. Finally, we combine everything and compute an alternative secret pair, thereby breaking the system. 6.1. Finding Support Candidates. Let L ⊆ F 2 m [x 1 , . . . , x n ] be a fault equation system. Then the problem of computing the support candidate set S L can be reduced to finding the zero set Z F 2 m (L). Computing this zero set is a classic problem of computer algebra which can be solved, for instance, using Gröbner basis techniques (see [13,Sec. 3.7] or [14,Sec. 6.3]). However, in order to improve the efficiency of these methods, it is important that we first use the linear equations in L to eliminate some indeterminates and reduce the complexity of the quadratic equations. The following algorithm aids this task.  (α 1 , . . . ,α n ) ∈ ψ(S red ) |α i =α j for i = j}. This is an algorithm which computes the support candidate set S L of L.
Proof. Since finiteness is clear, we have to show that the set S returned in step (6) is indeed equal to S L .
Thus it remains to show that γ ∈ S red = Z F 2 m (L red ). Note that, by construction, we for all Ψ(f ) ∈ L red . This proves γ ∈ Z F 2 m (L red ), and henceα ∈ S . 6.2. Finding Suitable Goppa Polynomials. Recall that the generating pair (α, g) of the irreducible Goppa code C = Γ(α, g) is part of the secret key of any BIG-N cryptosystem using C . The code C itself is published via the public parity check matrix H pub . Let L ⊆ F 2 m [x 1 , . . . , x n ] be a fault equation system, let S L be its support candidate set, let α ∈ S L be a support candidate which is degree-u extendable with respect to C for some u ≥ 2t, and letg ∈ F 2 m [x] be a degree-u extension ofα. This means that C ⊆ Γ(α,g). By Remark 2.2, it follows for all c ∈ Γ(α,g) that we havẽ . In particular, this divisibility then holds for all c ∈ C . Hence, knowing only C andα, we can compute multiples of the desired polynomialg . The following algorithm uses these observations and computes an extensiong of a given support tupleα if and only ifα is extendable. Note that its core idea is based on [19, p. 125].

Algorithm 6.7 (GoppaGCD).
Input: A support tupleα ∈ F n 2 m , t ∈ N + , and a binary Goppa code C ⊆ F n 2 . Output: Fail, or a degree-2t extension ofα with respect to C . returng 18: end if Proposition 6.8. Letα ∈ F n 2 m be a support tuple, let t ∈ N + , and let C ⊆ F n 2 be a binary Goppa code. Then Algorithm 6.7 is finite and the following conditions are equivalent.

Julian Danner and Martin Kreuzer
Vol. 12:1 (a) The function GoppaGCD(α, t, C) returns a degree-u extension ofα with respect to C for some u ≥ 2t. (b) The tupleα is degree-u extendable with respect to C for some u ≥ 2t. Otherwise, the algorithm returns Fail.
Proof. Since finiteness is clear, it suffices to prove the equivalence of (a) and (b) and the additional claim. To begin with, we show that the output of the function GoppaGCD(α, t, C) is either Fail or a degree-u extension ofα for some u ≥ 2t.
Clearly, the algorithm ends either in step (6), (15), or (17). Hence it terminates with Fail or a polynomialg ∈ F 2 m [x]. Suppose that it ends in step (17) with a polynomialg . Notice that this entails deg(g) ≥ 2t, as otherwise the algorithm would have terminated at the latest in step (15).
Note that an F 2 -basis B of C , as required in step (1), can be deduced from the rows of a generator matrix of C . Moreover, when the degree of the polynomialg is equal to 2t in the course of the loop (2)-(8), the polynomial will either stay the same for the remaining execution of the algorithm, or the result is Fail. Therefore we can also stop the algorithm at this point and use any other method to check ifg is a Goppa polynomial forα and if we have C ⊆ Γ(α,g). For instance, an efficient method is to compare a parity check matrix of Γ(α,g) with H pub . 6.3. Computing an Alternative Secret Pair. In this subsection we combine the algorithms of the previous two subsections and obtain the following fault attack algorithm which returns an alternative secret pair. Algorithm 6.9. (BIG-N Fault Attack) Let m, t, n ∈ N + be such that mt < n ≤ 2 m , let C = Γ(α, g) be a binary irreducible Goppa code with parameters (m, t, n), and let N be a BIG-N cryptosystem which uses C . Suppose that the implementation of the decryption map satisfies Assumptions 4.2, 4.3, and 4.4. Let L ⊆ F 2 m [x 1 , . . . , x n ] be a fault equation system which has been constructed using constant and quadratic fault injection sequences applied to N .
(1) Compute the support candidate set S L of L using Algorithm 6.6.
(2) Chooseα ∈ S L and remove it from S L .
(3) Use Algorithm 6.7 to compute GoppaGCD(α, t, C). If the output is Fail, then go to step (2). Otherwise, the output is a polynomialg . Return the pair (α,g) and stop. This is an algorithm which computes an alternative secret pair (α,g).
Proof. First we prove finiteness. For the support candidate set S L of step (1), we may assume α ∈ S L by Remark 6.2. Since S L ⊆ F n 2 m is a finite set, after finitely many iterations of steps (2) and (3) the support tupleα = α ∈ S L is chosen. Since α is degree-2t extendable using the extension g 2 , Proposition 6.8 shows that the call to GoppaGCD(α, t, C) in step (3) returns a polynomialg ∈ F 2 m [x]. Hence the algorithm terminates.
It remains to prove that the output (α,g) is an alternative secret pair. By Proposition 6.8, the algorithm terminates in step (3) if and only ifα ∈ S L is degree-u extendable for some u ≥ 2t. In this case the polynomialg is a degree-u extension ofα for some u ≥ 2t, and Algorithm 3.3 implies that (α,g) is an alternative secret pair.

Experiments and Timings
In this section we apply the BIG-N fault attack (Algorithm 6.9) to a selection of state-ofthe-art security levels. Table 1 [4].
Recall that the only input of the BIG-N fault attack is a fault equation system. It can be computed, for instance, using the following algorithm. Our experiments show that fault equation systems obtained with this method can be solved efficiently with Algorithm 6.6.  In order to determine the expected number of BIG-N fault injections needed during the computation of a fault equation system using this algorithm, we denote the probability of a successful constant fault injection by p 0 and the probability of a successful quadratic fault injection by p 2 . Then we expect that n p 0 + n 10 1 p 2 faults have to be injected in total to generate the fault equation system using Algorithm 7.1.
Since there is no obvious formula to calculate these probabilities, they were estimated in the following way: For each security level, we considered three random irreducible Goppa codes. For each Goppa code, we chose uniformly at random 200 distinct words p for the fault injection sequences in step (2) and (4), respectively. For each word p, we computed the exact number of faults which lead to a successful fault injection. Dividing the average of those three numbers by 2 m yields our estimatesp 0 andp 2 respectively. Table 2 contains, both for the constant and the quadratic fault injection sequences, the average number of faults which lead to a successful fault injection and the estimated standard deviation. The estimatesp 0 andp 2 for p 0 and p 2 are also given.  Table 2: Average numbers of faults and success probabilities.

Sec
Observe that the success probabilities drop significantly when the ratio n 2 m gets smaller. This can be attributed to the fact that a constant or quadratic fault injection is successful if and only if the faulty error-locator polynomialσ p (x) has two zeros among the support elements {α 1 , . . . , α n }, and it seems natural that there are more such faults when n is larger.
An implementation of a BIG-N cryptosystem following the FPGA-based implementation of [26,27] is provided in the computer algebra system CoCoA-5 [1] along with all algorithms of this paper. For the computation of the zero set of the reduced fault equation system L red in step (4) of Algorithm 6.6, we make use the CoCoA-5 function RationalSolve which uses Gröbner basis computations. Timings of the BIG-N fault attack (Algorithm 6.9) for all security parameters of Table 1 are given in Table 3. We also list the size of the reduced fault equation system L red , as computed in step (4) of Algorithm 6.6, the time for computing its zero set Z F 2 m (L red ) using the CoCoA-5 function RationalSolve, and the time for extending a support candidate to an alternative secret pair using Algorithm 6.7. The timings represent the average of three runs of the algorithm applied to distinct randomly generated BIG-N cryptosystems.  Table 3: Timings of the BIG-N fault attack (Algorithm 6.9).
This table shows that a straightforward implementation of the BIG-N cryptosystem using classical decoding methods is quite susceptible to the BIG-N fault attack. Even stateof-the-art security parameters were broken in about 20 minutes. Therefore we recommended to implement the countermeasures proposed in Remark 4.6.