Атаки по побочным каналам на теоретико-кодовые постквантовые криптографические системы

Атаки по побочным каналам на теоретико-кодовые постквантовые криптографические системы: обзор. Часть 1

Бахарев А. О., Воронов Д. М., Коломеец Н. А., Токарева Н. Н., Хильчук И. С., Шапоренко А. С.
Дискретный анализ и исследование операций, 32, 4, 5-68 (2025)
Скачать статью

УДК 519.7 
DOI: 10.33048/daio.2025.32.837

Аннотация:

В работе, состоящей из двух частей, приводится структурированный аналитический обзор, посвящённый атакам, использующим информацию, полученную по побочным каналам, на постквантовые криптосистемы, основанные на методах и конструкциях теории помехоустойчивого кодирования. В первой части обзора представлено описание основных криптографических примитивов и алгоритмов, применяемых в теоретико-кодовых криптосистемах, а также приведены описания наиболее значимых современных теоретико-кодовых схем: Classic McEliece, «Кодиеум», «Шиповник», BIKE и HQC. Представленное исследование выполнено в рамках НИР «Кульминация», проведённой в АНО «Национальный технологический центр цифровой криптографии». 

Табл. 5, ил. 14, библиогр. 111.

Литература:
  1. Shor P. W. Algorithms for quantum computation: Discrete logarithms and factoring // Proc. 35th Annu. Symp. Foundations of Computer Science (Santa Fe, USA, Nov. 20–22, 1994). Los Alamitos, CA: IEEE Comput. Soc., 1994. P. 124–134. DOI: 10.1109/SFCS.1994.365700.
     
  2. Niederreiter H. Knapsack-type cryptosystems and algebraic coding theory // Prob. Control Inf. Theory. 1986. V. 15, No. 2. P. 157–166.
     
  3. McEliece R. J. A public-key cryptosystem based on algebraic coding theory // DSN Progress Rep. 1978. V. 42–44. P. 114–116.
     
  4. Bernstein D. J., Chou T., Cid C. [et al.]. Classic McEliece. Specification. Chicago: Univ. Ill. Chic., 2022. 16 p. URL: https://classic.mceliece.org/spec.html  (accessed: 6.03.2026).
     
  5. Высоцкая В. В., Чижов И. В. Постквантовая схема инкапсуляции ключа «Кодиеум» // Докл. XXVI Междунар. науч.-практ. конф. «РусКрипто» (Москва, Россия, 19–22 марта 2024 г.). М.: РусКрипто, 2024. 16 p. URL: https://ruscrypto.ru/resource/archive/rc2024/files/05_vysotskaya_chizhov.pdf  (дата обращения: 6.03.2026).
     
  6. Высоцкая В. В., Чижов И. В. Схема постквантовой электронной подписи на основе протокола идентификации Штерна // Докл. XXIII Междунар. науч.-практ. конф. «РусКрипто» (Москва, Россия, 23–26 марта 2021 г.). М.: РусКрипто, 2021. 27 p. URL: https://ruscrypto.ru/resource/archive/rc2021/files/02_vysotskaya_chizhov.pdf  (дата обращения: 6.03.2026).
     
  7. Berlekamp E., McEliece R., Van Tilborg H. On the inherent intractability of certain coding problems (corresp.) // IEEE Trans. Inf. Theory. 1978. V. 24, No. 3. P. 384–386. DOI: 10.1109/TIT.1978.1055873.
     
  8. Гоппа В. Д. Рациональное представление кодов и ($L, g$)-коды // Пробл. передачи информации. 1971. Т. 7, № 3. С. 41–49.
     
  9. Hofheinz D., Hövelmanns K., Kiltz E. A modular analysis of the Fujisaki–Okamoto transformation // Theory of cryptography. Proc. 15th Int. Conf. (Baltimore, MD, USA, Nov. 12–15, 2017). Pt. I. Cham: Springer, 2017. P. 341–371. (Lect. Notes Comput. Sci.; V. 10677). DOI: 10.1007/ 978-3-319-70500-2_12.
     
  10. Bindel N., Hamburg M., Hövelmanns K. [et al.]. Tighter proofs of CCA security in the quantum random oracle model // Theory of cryptography. Proc. 17th Int. Conf. (Nuremberg, Germany, Dec. 1–5, 2019). Pt. II. Cham: Springer, 2019. P. 61–90. (Lect. Notes Comput. Sci.; V. 11892). DOI: 10.1007/ 978-3-030-36033-7_3.
     
  11. Fiat A., Shamir A. How to prove yourself: Practical solutions to identification and signature problems // Advances in cryptology — CRYPTO’86. Proc. Conf. Theory and Applications of Cryptographic Techniques (Santa Barbara, USA, Aug. 11–15, 1986). Heidelberg: Springer, 1987. P. 186–194. (Lect. Notes Comput. Sci.; V. 263). DOI: 10.1007/3-540-47721-7_12.
     
  12. Gao S., Mateer T. Additive fast Fourier transforms over finite fields // IEEE Trans. Inf. Theory. 2010. V. 56, No. 12. P. 6265–6272.
     
  13. Sendrier N. Finding the permutation between equivalent linear codes: The support splitting algorithm // IEEE Trans. Inf. Theory. 2000. V. 46, No. 4. P. 1193–1203. DOI: 10.1109/18.850662.
     
  14. Stern J. A method for finding codewords of small weight // Coding theory and applications. Proc. 3rd Int. Colloq. (Toulon, France, Nov. 2–4, 1988). Heidelberg: Springer, 1988. P. 106–113. (Lect. Notes Comput. Sci.; V. 388). DOI: 10.1007/BFb0019850.
     
  15. Сидельников В. М., Шестаков С. О. О системе шифрования, построенной на основе обобщённых кодов Рида — Соломона // Дискрет. математика. 1992. Т. 4, № 3. С. 57–63.
     
  16. Davydov V. V., Beliaev V. V., Kustov E. F. [et al.]. Modern variations of McEliece and Niederreiter cryptosystems // J. Sci. Tech. Inf. Technol. Mech. Opt. 2022. V. 22, No. 2. P. 324–331. DOI: 10.17586/ 2226-1494-2022-22-2-324-331.
     
  17. Сидельников В. М. Открытое шифрование на основе двоичных кодов Рида — Маллера // Дискрет. математика. 1994. Т. 6, № 2. С. 3–20.
     
  18. Minder L., Shokrollahi A. Cryptanalysis of the Sidelnikov cryptosystem // Advances in cryptology — EUROCRYPT 2007. Proc. 26th Annu. Int. Conf. Theory and Applications of Cryptographic Techniques (Barcelona, Spain, May 20–24, 2007). Heidelberg: Springer, 2007. P. 347–360. (Lect. Notes Comput. Sci.; V. 4515). DOI: 10.1007/978-3-540-72540-4_20.
     
  19. Overbeck R., Sendrier N. Code-based cryptography // Post-quantum cryptography. Heidelberg: Springer, 2009. P. 95–145.
     
  20. González de la Torre M. A., Hernández Encinas L., Sánchez García J. I. Structural analysis of code-based algorithms of the NIST postquantum call // Logic J. IGPL. 2024. V. 33, No. 5. Article ID jzae071. 12 p. DOI: 10.1093/jigpal/jzae071.
     
  21. Alagic G., Bros M., Ciadoux P. [et al.]. Status report on the fourth round of the NIST post-quantum cryptography standardization process. Gaithersburg, MD: NIST, 2025. DOI: 10.6028/NIST.IR.8545.
     
  22. Alagic G., Apon D. C., Cooper D. [et al.]. Status report on the third round of the NIST post-quantum cryptography standardization process. Gaithersburg, MD: NIST, 2022. DOI: 10.6028/NIST.IR.8413-upd1.
     
  23. Alagic G., Alperin-Sheriff J., Apon D. C. [et al.]. Status report on the second round of the NIST post-quantum cryptography standardization process. Gaithersburg, MD: NIST, 2020. DOI: 10.6028/NIST.IR.8309.
     
  24. Albrecht M. R., Bernstein D. J., Chou T. [et al.]. Classic McEliece // Post-quantum cryptography. Round 3 submissions. Gaithersburg, MD: NIST, 2020. URL: https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions  (accessed: 6.03.2026).
     
  25. Bernstein D. J., Chou T., Cid C. [et al.]. Classic McEliece // Postquantum cryptography. Round 4 submissions. Gaithersburg, MD: NIST, 2022. URL: https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-4-submissions  (accessed: 6.03.2026).
     
  26. Bernstein D. J., Chou T., Cid C. [et al.]. Classic McEliece. Implementation. Chicago: Univ. Ill. Chic., 2022. URL: https://classic.mceliece.org/impl.html  (accessed: 6.03.2026).
     
  27. CIRCL: Cloudflare interoperable reusable cryptographic library. San Francisco: Cloudflare, 2023. URL: https://github.com/cloudflare/circl  (accessed: 6.03.2026).
     
  28. Implement Classic McEliece. San Francisco: Cloudflare, 2022. URL: https://github.com/cloudflare/circl/pull/378  (accessed: 6.03.2026).
     
  29. Open Quantum Safe liboqs: C library for prototyping and experimenting with quantum-resistant cryptography. 2025. URL: https://github.com/open-quantum-safe/liboqs/tree/main/src/kem/classic_mceliece  (accessed: 6.03.2026).
     
  30. Wiggers T., Stebila D. Clean, portable, tested implementations of postquantum cryptography. 2023. URL: https://github.com/PQClean/PQClean  (accessed: 6.03.2026).
     
  31. Hülsing A., Ning K.-C., Schwabe P., Weber F., Zimmermann P. R. Post-quantum WireGuard // Proc. 42nd IEEE Symp. Security and Privacy (San Francisco, USA, May24–27, 2021). Los Alamitos, CA: IEEE Comput. Soc., 2021. P. 304–321. DOI: 10.1109/SP40001.2021.00030.
     
  32. Software co-design acceleration of Classic McEliece key encapsulation mechanism. 2021. URL: https://github.com/beatsnbytes/classic_mceliece  (accessed: 6.03.2026).
     
  33. Discrete math final project for 2018 — Implementation of the McEliece cryptosystem. 2018. URL: https://github.com/arpanrau/McEliece-Implementation  (accessed: 6.03.2026).
     
  34. Nießen T. Purely educational PoC design and implementation of a PQC key exchange using Classic McEliece. 2019. URL: https://github.com/tniessen/node-mceliece-key-exchange-poc  (accessed: 6.03.2026).
     
  35. Bernstein D. J. The McEliece cryptosystem // Talks 1st PostQuantum Cryptography Summer School in Universities (Chengdu, China, July 17, 2024). 76 p. URL: https://cr.yp.to/talks/2024.07.17/slides-djb-20240717-mceliece-4x3.pdf  (accessed: 6.03.2026).
     
  36. ГОСТ 34.11—2018. Информационная технология. Криптографическая защита информации. Функция хэширования. Введ. 01.06.2019. М.: Стандартинформ, 2018. 25 с.
     
  37. Vysotskaya V. V., Chizhov I. V. Design criteria of a new code-based KEM // J. Comput. Virol. Hacking Tech. 2024. V. 20, No. 3. P. 497–511. DOI: 10.1007/s11416-024-00527-z.
     
  38. Ge J., Liao H., Xue R. Measure-rewind-extract: Tighter proofs of one-way to hiding and CCA security in the quantum random oracle model // Advances in cryptology — ASIACRYPT 2024. Proc. 30th Int. Conf. Theory and Application of Cryptology and Information Security (Kolkata, India, Dec. 9–13, 2024). Pt. IV. Singapore: Springer, 2024. P. 3–34. (Lect. Notes Comput. Sci.; V. 15487). DOI: 10.1007/978-981-96-0894-2_1.
     
  39. Stern J. A new identification scheme based on syndrome decoding // Advances in cryptology — CRYPTO’93. Proc. 13th Annu. Int. Cryptology Conf. (Santa Barbara, USA, Aug. 22–26, 1993). Heidelberg: Springer, 1994. P. 13–21. (Lect. Notes Comput. Sci.; V. 773). DOI: 10.1007/3-540-48329-2_2.
     
  40. Vysotskaya V. V., Chizhov I. V. The security of the code-based signature scheme based on the Stern identification protocol // Прикл. дискрет. математика. 2022. № 57. С. 67–90. DOI: 10.17223/20710410/57/5. 
     
  41. Царегородцев К. Д. Троичная лемма о разветвлении и её приложение к анализу стойкости одной кодовой схемы подписи // Прикл. дискрет. математика. 2023. № 59. С. 58–71. DOI: 10.17223/20710410/59/3.
     
  42. Высоцкая В. В., Дас Д. К. Анализ устойчивости постквантовой электронной подписи «Шиповник» к атакам, нацеленным на хэш-функции // Докл. XXVI Междунар. науч.-практ. конф. «РусКрипто» (Москва, Россия, 19–22 марта 2024 г.). М.: РусКрипто, 2024. 36 p. URL: https://ruscrypto.ru/resource/archive/rc2024/files/05_vysotskaya_das.pdf  (дата обращения: 6.03.2026).
     
  43. Открытая реализация алгоритма электронной цифровой подписи «Шиповник» для ТК26. М.: QApp, 2023. URL: https://github.com/QAPP-tech/shipovnik_tc26  (дата обращения: 6.03.2026).
     
  44. Prange E. The use of information sets in decoding cyclic codes // IRE Trans. Inf. Theory. 1962. V. 8, No. 5. P. 5–9. DOI: 10.1109/TIT.1962.1057777.
     
  45. Sendrier N. Decoding one out of many // Post-quantum cryptography. Proc. 4th Int. Workshop (Taipei, China, Nov. 29 – Dec. 2, 2011). Heidelberg: Springer, 2011. P. 51–67. (Lect. Notes Comput. Sci.; V. 7071). DOI: 10.1007/978-3-642-25405-5_4.
     
  46. Löndahl C., Johansson T., Shooshtari M. K., Ahmadian-Attari M., Aref M. R. Squaring attacks on McEliece public-key cryptosystems using quasi-cyclic codes of even dimension // Des. Codes Cryptogr. 2016. V. 80, No. 2. P. 359–377. DOI: 10.1007/s10623-015-0099-x.
     
  47. Guo Q., Johansson T., Löndahl C. A new algorithm for solving ring-lpn with a reducible polynomial // IEEE Trans. Inf. Theory. 2015. V. 61, No. 11. P. 6204–6212. DOI: 10.1109/TIT.2015.2475738.
     
  48. Guo Q., Johansson T., Stankovski P. A key recovery attack on MDPC with CCA security using decoding errors // Advances in cryptology — ASIACRYPT 2016. Proc. 22nd Int. Conf. Theory and Application of Cryptology and Information Security (Hanoi, Vietnam, Dec. 4–8, 2016). Pt. I. Heidelberg: Springer, 2016. P. 789–815. (Lect. Notes Comput. Sci.; V. 10031). DOI: 10.1007/978-3-662-53887-6_29.
     
  49. Nilsson A., Johansson T., Wagner P. S. Error amplification in codebased cryptography // IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019. V. 2019, No. 1. P. 238–258. DOI: 10.46586/tches.v2019.i1.238-258.
     
  50. Aguilar-Melchor C., Blazy O., Deneuville J.-C. [et al.]. Efficient encryption from random quasi-cyclic codes // IEEE Trans. Inf. Theory. 2018. V. 64, No. 5. P. 3927–3943. DOI: 10.1109/TIT.2018.2804444.
     
  51. Gaborit P., Aguilar-Melchor C., Aragon N. [et al.]. HQC cryptosystem specification. Gaithersburg, MD: NIST, 2025. URL: https://pqc-hqc.org/doc/hqc_specifications_2025_08_22.pdf  (accessed: 6.03.2026).
     
  52. Gaborit P., Aguilar-Melchor C., Aragon N. [et al.]. HQC. NIST submission packages. 2025. URL: https://pqc-hqc.org/doc/archive_submissions.zip  (accessed: 6.03.2026).
     
  53. Gaborit P., Aguilar-Melchor C., Aragon N. [et al.]. HQC. Optimized implementation. 2024. URL: https://web.archive.org/web/20250712014511/pqc-hqc.org/doc/hqc-optimized-implementation_2024-10-30.zip  (accessed: 6.03.2026).
     
  54. Aragon N., Barreto P., Bettaieb S. [et al.]. BIKE cryptosystem specification. Gaithersburg, MD: NIST, 2024. URL: https://bikesuite.org/files/v5.2/BIKE_Spec.2024.10.10.1.pdf  (accessed: 6.03.2026).
     
  55. Misoczki R., Tillich J.-P., Sendrier N. [et al.]. MDPC-McEliece: New McEliece variants from moderate density parity-check codes // Proc. 2013 IEEE Int. Symp. Information Theory (Istanbul, Turkey, July 7–12, 2013). Piscataway: IEEE, 2013. P. 2069–2073. DOI: 10.1109/ISIT.2013.6620590.
     
  56. Aragon N., Barreto P., Bettaieb S. [et al.]. BIKE. Reference implementation. 2024. URL: https://bikesuite.org/reference.html  (accessed: 6.03.2026).
     
  57. Additional implementation of BIKE. Seattle: AWS Labs, 2024. URL: https://github.com/awslabs/bike-kem  (accessed: 6.03.2026).
     
  58. Mangard S., Oswald E., Popp T. Power analysis attacks: Revealing the secrets of smart cards. New York: Springer, 2007. 338 p. DOI: 10.1007/ 978-0-387-38162-6.
     
  59. Standaert F. X. Introduction to side-channel attacks // Secure integrated circuits and systems. New York: Springer, 2010. P. 27–42. DOI: 10.1007/ 978-0-387-71829-3_2.
     
  60. Peeters E., Standaert F. X., Quisquater J. J. Power and electromagnetic analysis: Improved model, consequences and comparisons // Integration. 2007. V. 40, No. 1. P. 52–60. DOI: 10.1016/j.vlsi.2005.12.013.
     
  61. Standaert F. X., Mace F., Peeters E. [et al.]. Updates on the security of FPGAs against power analysis attacks // Reconfigurable computing: Architectures and applications. Rev. Sel. Pap. 2nd Int. Workshop (Delft, The Netherlands, Mar. 1–3, 2006). Heidelberg: Springer, 2006. P. 335–346. (Lect. Notes Comput. Sci.; V. 3985). DOI: 10.1007/11802839_42.
     
  62. Жуков А. Е. Криптоанализ по побочным каналам (side channel attacks) // Защита информации. Инсайд. 2010. № 5. С. 28–33.
     
  63. Chari S., Rao J. R., Rohatgi P. Template attacks // Cryptographic hardware and embedded systems — CHES 2002. Rev. Pap. 4th Int. Workshop (Redwood Shores, CA, USA, Aug. 13–15, 2002). Heidelberg: Springer, 2003. P. 13– 28. (Lect. Notes Comput. Sci.; V. 2523). DOI: 10.1007/3-540-36400-5_3.
     
  64. Anderson R., Kuhn M. Tamper resistance — A cautionary note // Proc. 2nd USENIX Workshop Electronic Commerce (Oakland, CA, USA, Nov. 18–21, 1996). Pittsburgh, PA: Carnegie Mellon Univ., 1996. P. 1–11.
     
  65. Tuyls P., Schrijen G.-J., Škorić B. [et al.]. Read-proof hardware from protective coatings // Cryptographic hardware and embedded systems — CHES 2006. Proc. 8th Int. Workshop (Yokohama, Japan, Oct. 10–13, 2006). Heidelberg: Springer, 2006. P. 369–383. (Lect. Notes Comput. Sci.; V. 4249). DOI: 10.1007/11894063_29.
     
  66. Shamir A. Protecting smart cards from passive power analysis with detached power supplies // Cryptographic hardware and embedded systems — CHES 2000. Proc. 2nd Int. Workshop (Worcester, MA, USA, Aug. 17–18, 2000). Heidelberg: Springer, 2000. P. 71–77. (Lect. Notes Comput. Sci.; V. 1965). DOI: 10.1007/3-540-44499-8_5.
     
  67. Goubin L., Patarin J. DES and differential power analysis. The “Duplication” method // Cryptographic hardware and embedded systems. Proc. 1st Int. Workshop (Worcester, MA, USA, Aug. 12–13, 1999). Heidelberg: Springer, 1999. P. 158–172. (Lect. Notes Comput. Sci.; V. 1717). DOI: 10.1007/3-540-48059-5_15.
     
  68. May D., Muller H. L., Smart N. P. Random register renaming to foil DPA // Cryptographic hardware and embedded systems — CHES 2001. Proc. 3rd Int. Workshop (Paris, France, May 14–16, 2001). Heidelberg: Springer, 2001. P. 28–38. (Lect. Notes Comput. Sci.; V. 2162). DOI: 10.1007/ 3-540-44709-1_4.
     
  69. Chari S., Jutla S. C., Rao R. J. [et al.]. Towards sound approaches to counteract power-analysis attacks // Advances in cryptology — CRYPTO’99. Proc. 19th Annu. Int. Cryptology Conf. (Santa Barbara, USA, Aug. 15–19, 1999). Heidelberg: Springer, 1999. P. 398–412. (Lect. Notes Comput. Sci.; V. 1666). DOI: 10.1007/3-540-48405-1_26.
     
  70. Ueno R., Homma N., Aoki T. Toward more efficient DPA-resistant AES hardware architecture based on threshold implementation // Constructive side-channel analysis and secure design. Rev. Sel. Pap. 8th Int. Workshop (Paris, France, Apr. 13–14, 2017). Cham: Springer, 2017. P. 50–64. (Lect. Notes Comput. Sci.; V. 10348). DOI: 10.1007/978-3-319-64647-3_4.
     
  71. Schwabe P., Stoffelen K. All the AES you need on Cortex-M3 and M4 // Selected areas in cryptography — SAC 2016. Rev. Sel. Pap. 23rd Int. Conf. (St. John’s, NL, Canada, Aug. 10–12, 2016). Cham: Springer, 2016. P. 180–194. (Lect. Notes Comput. Sci.; V. 10532). DOI: 10.1007/978-3-319-69453-5_ 10.
     
  72. Tiri K., Akmal M., Verbauwhede I. A dynamic and differential CMOS logic with signal independent power consumption to withstand differential power analysis on smart cards // Proc. 28th European Solid-State Circuits Conf. (Florence, Italy, Sept. 24–26, 2002). Piscataway: IEEE, 2002. P. 403–406.
     
  73. Patterson N. The algebraic decoding of Goppa codes // IEEE Trans. Inf. Theory. 1975. V. 21, No. 2. P. 203–207. DOI: 10.1109/TIT.1975.1055350.
     
  74. Strenzke F., Tews E., Molter G. [et al.]. Side channels in the McEliece PKC // Post-quantum cryptography. Proc. 2nd Int. Workshop (Cincinnati, OH, USA, Oct. 17–19, 2008). Heidelberg: Springer, 2008. P. 216–229. (Lect. Notes Comput. Sci.; V. 5299). DOI: 10.1007/978-3-540-88403-3_15.
     
  75. Avanzi R., Hoerder S., Page D. [et al.]. Side-channel attacks on the McEliece and Niederreiter public-key cryptosystems // J. Cryptogr. Eng. 2011. V. 1, No. 4. P. 271–281. DOI: 10.1007/s13389-011-0024-9.
     
  76. Shoufan A., Strenzke F., Molter H. G. [et al.]. A timing attack against Patterson algorithm in the McEliece PKC // Information security and cryptology — ICISC 2009. Rev. Sel. Pap. 12th Int. Conf. (Seoul, Korea, Dec. 2–4, 2009). Heidelberg: Springer, 2010. P. 161–175. (Lect. Notes Comput. Sci.; V. 5984). DOI: 10.1007/978-3-642-14423-3_12.
     
  77. Strenzke F. A timing attack against the secret permutation in the McEliece PKC // Post-quantum cryptography. Proc. 3rd Int. Workshop (Darmstadt, Germany, May 25–28, 2010). Heidelberg: Springer, 2010. P. 95–107. (Lect. Notes Comput. Sci.; V. 6061). DOI: 10.1007/978-3-642-12929-2_8.
     
  78. Strenzke F. Timing attacks against the syndrome inversion in code-based cryptosystems // Post-quantum cryptography. Proc. 5th Int. Workshop (Limoges, France, June 4–7, 2013). Heidelberg: Springer, 2013. P. 217–230. (Lect. Notes Comput. Sci.; V. 7932). DOI: 10.1007/978-3-642-38616-9_15.
     
  79. Heyse S., Moradi A., Paar C. Practical power analysis attacks on software implementations of McEliece // Post-quantum cryptography. Proc. 3rd Int. Workshop (Darmstadt, Germany, May 25–28, 2010). Heidelberg: Springer, 2010. P. 108–125. (Lect. Notes Comput. Sci.; V. 6061). DOI: 10.1007/ 978-3-642-12929-2_9.
     
  80. Molter H. G., Stöttinger M., Shoufan A. [et al.]. A simple power analysis attack on a McEliece cryptoprocessor // J. Cryptogr. Eng. 2011. V. 1, No. 1. P. 29–36. DOI: 10.1007/s13389-011-0001-3.
     
  81. Shoufan A., Wink T., Molter H. G. [et al.]. A novel processor architecture for McEliece cryptosystem and FPGA platforms // Proc. 20th IEEE Int. Conf. Application-Specific Systems, Architectures and Processors (Boston, MA, USA, July 7–9, 2009). Los Alamitos, CA: IEEE Comput. Soc., 2009. P. 98–105. DOI: 10.1109/ASAP.2009.29.
     
  82. Heyse S., Von Maurich I., Güneysu T. Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices // Cryptographic hardware and embedded systems — CHES 2013. Proc. 15th Int. Workshop (Santa Barbara, USA, Aug. 20–23, 2013). Heidelberg: Springer, 2013. P. 273–292. (Lect. Notes Comput. Sci.; V. 8086). DOI: 10.1007/ 978-3-642-40349-1_16.
     
  83. Von Maurich I., Güneysu T. Towards side-channel resistant implementations of QC-MDPC McEliece encryption on constrained devices // Postquantum cryptography. Proc. 6th Int. Workshop (Waterloo, ON, Canada, Oct. 1–3, 2014). Cham: Springer, 2014. P. 266–282. (Lect. Notes Comput. Sci.; V. 8772). DOI: 10.1007/978-3-319-11659-4_16.
     
  84. Von Maurich I., Güneysu T. Lightweight code-based cryptography: QCMDPC McEliece encryption on reconfigurable devices // Proc. 2014 Design, Automation and Test in Europe Conf. (Dresden, Germany, Mar. 24–28, 2014). Piscataway: IEEE, 2014. P. 1–6. DOI: 10.7873/DATE.2014.051.
     
  85. Chen C., Eisenbarth T., Von Maurich I. [et al.]. Differential power analysis of a McEliece cryptosystem // Applied cryptography and network security. Rev. Sel. Pap. 13th Int. Conf. (New York, USA, June 2–5, 2015). Cham: Springer, 2015. P. 538–556. (Lect. Notes Comput. Sci.; V. 9092). DOI: 10.1007/978-3-319-28166-7_26.
     
  86. Schamberger T., Renner J., Sigl G. [et al.]. A power side-channel attack on the CCA2-secure HQC KEM // Smart card research and advanced applications. Rev. Sel. Pap. 19th Int. Conf. (Lübeck, Germany, Nov. 18–19, 2020). Cham: Springer, 2020. P. 119–134. (Lect. Notes Comput. Sci.; V. 12609). DOI: 10.1007/978-3-030-68487-7_8.
     
  87. Hlauschek C., Lahr N., Schröder R. L. On the timing leakage of the deterministic re-encryption in HQC KEM. San Diego, 2021. 24 p. (Cryptol. ePrint Archive / Univ. California; Pap. 2021/1485/20211115:124514). URL: https://eprint.iacr.org/archive/2021/1485/20211115:124514  (accessed: 6.03.2026).
     
  88. Wafo-Tapa G., Bettaieb S., Bidoux L. [et al.]. A practicable timing attack against HQC and its countermeasure // Adv. Math. Commun. 2022. V. 16, No. 3. P. 621–642. DOI: 10.3934/amc.2020126.
     
  89. Paiva T. B., Terada R. A timing attack on the HQC encryption scheme // Selected areas in cryptography — SAC 2019. Rev. Sel. Pap. 26th Int. Conf. (Waterloo, ON, Canada, Aug. 12–16, 2019). Cham: Springer, 2019. P. 551–573. (Lect. Notes Comput. Sci.; V. 11959). DOI: 10.1007/978-3-030-38471-5_ 22.
     
  90. Lahr N., Niederhagen R., Petri R. [et al.]. Side channel information set decoding using iterative chunking: Plaintext recovery from the “Classic McEliece” hardware reference implementation // Advances in cryptology — ASIACRYPT 2020. Proc. 26th Int. Conf. Theory and Application of Cryptology and Information Security (Daejeon, South Korea, Dec. 7–11, 2020). Pt. I. Cham: Springer, 2020. P. 881–910. (Lect. Notes Comput. Sci.; V. 12491). DOI: 10.1007/978-3-030-64837-4_29.
     
  91. Guo Q., Johansson A., Johansson T. A key-recovery side-channel attack on Classic McEliece implementations // IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022. V. 2022, No. 4. P. 800–827. DOI: 10.46586/tches.v2022.i4. 800-827.
     
  92. Pircher S., Geier J., Danner J. [et al.]. Key-recovery fault injection attack on the Classic McEliece KEM // Code-based cryptography. Rev. Sel. Pap. 10th Int. Workshop (Trondheim, Norway, May 29–30, 2022). Cham: Springer, 2022. P. 37–61. (Lect. Notes Comput. Sci.; V. 13839). DOI: 10. 1007/978-3-031-29689-5_3.
     
  93. Grosso V., Cayrel P.-L., Colombier B. [et al.]. Punctured syndrome decoding problem: Efficient side-channel attacks against Classic McEliece // Constructive side-channel analysis and secure design. Proc. 14th Int. Workshop (Munich, Germany, Apr. 3–4, 2023). Cham: Springer, 2023. P. 170–192. (Lect. Notes Comput. Sci.; V. 13979). DOI: 10.1007/978-3-031-29497-6_9.
     
  94. Brinkmann M., Chuengsatiansup C., May A. [et al.]. Leaky McEliece: Secret key recovery from highly erroneous side-channel information // IACR Trans. Cryptogr. Hardw. Embed. Syst. 2025. V. 2025, No. 2. P. 94–125. DOI: 10.46586/tches.v2025.i2.94-125.
     
  95. Bitzer S., Delvaux J., Kirshanova E. [et al.]. How to lose some weight: A practical template syndrome decoding attack // Des. Codes Cryptogr. 2025. V. 93, No. 7. P. 2503–2519. DOI: 10.1007/s10623-025-01603-1.
     
  96. Drăgoi V.-F., Colombier B., Vallet N. [et al.]. Full key-recovery cubictime template attack on Classic McEliece decapsulation. San Diego, 2024. 25 p. (Cryptol. ePrint Archive / Univ. California; Pap. 2024/1694). URL: eprint.iacr.org/2024/1694 (accessed: 6.03.2026).
     
  97. Ueno R., Xagawa K., Tanaka Y. [et al.]. Curse of re-encryption: A generic power/EM analysis on post-quantum KEMs // IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022. V. 2022, No. 1. P. 296–322. DOI: 10.46586/tches.v2022.i1.296-322.
     
  98. Bernstein D. J., Lange T., Peters C. Attacking and defending the McEliece cryptosystem // Post-quantum cryptography. Proc. 2nd Int. Workshop (Cincinnati, OH, USA Oct. 17–19, 2008). Heidelberg: Springer, 2008. P. 31–46. (Lect. Notes Comput. Sci.; V. 5299). DOI: 10.1007/ 978-3-540-88403-3_3.
     
  99. Canteaut A., Chabaud F. A new algorithm for finding minimum-weight words in a linear code: Application to McEliece’s cryptosystem and to narrowsense BCH codes of length 511 // IEEE Trans. Inf. Theory. 1998. V. 44, No. 1. P. 367–378. DOI: 10.1109/18.651067.
     
  100. Canteaut A., Sendrier N. Cryptanalysis of the original McEliece cryptosystem // Advances in cryptology — ASIACRYPT’98. Proc. Int. Conf. Theory and Application of Cryptology and Information Security (Beijing, China, Oct. 18–22, 1998). Heidelberg: Springer, 1998. P. 187–199. (Lect. Notes Comput. Sci.; V. 1514). DOI: 10.1007/3-540-49649-1_16.
     
  101. Eaton E., Lequesne M., Parent A. [et al.]. QC-MDPC: A timing attack and a CCA2 KEM // Post-quantum cryptography. Proc. 9th Int. Conf. (Fort Lauderdale, FL, USA, Apr. 9–11, 2018). Cham: Springer, 2018. P. 47–76. (Lect. Notes Comput. Sci.; V. 10786). DOI: 10.1007/978-3-319-79063-3_3.
     
  102. Drucker N., Gueron S., Kostic D. QC-MDPC decoders with several shades of gray // Post-quantum cryptography. Proc. 11th Int. Conf. (Paris, France, Apr. 15–17, 2020). Cham: Springer, 2020. P. 35–50. (Lect. Notes Comput. Sci.; V. 12100). DOI: 10.1007/978-3-030-44223-1_3.
     
  103. Schamberger T., Holzbaur L., Renner J. [et al.]. A power side-channel attack on the Reed–Muller Reed–Solomon version of the HQC cryptosystem // Post-quantum cryptography. Proc. 13th Int. Conf. (Eindhoven, The Netherlands, Sept. 28-30, 2022). Cham: Springer, 2022. P. 327–352. (Lect. Notes Comput. Sci.; V. 13512). DOI: 10.1007/978-3-031-17234-2_16.
     
  104. Goy G., Loiseau A., Gaborit P. A new key recovery side-channel attack on HQC with chosen ciphertext // Post-quantum cryptography. Proc. 13th Int. Conf. (Eindhoven, The Netherlands, Sept. 28–30, 2022). Cham: Springer, 2022. P. 353–371. (Lect. Notes Comput. Sci.; V. 13512). DOI: 10.1007/978-3-031-17234-2_17.
     
  105. Chou T. QcBits: Constant-time small-key code-based cryptography // Cryptographic hardware and embedded systems — CHES 2016. Proc. 18th Int. Conf. (Santa Barbara, USA, Aug. 17–19, 2016). Heidelberg: Springer, 2016. P. 280–300. (Lect. Notes Comput. Sci.; V. 9813). DOI: 10.1007/ 978-3-662-53140-2_14.
     
  106. Rossi M., Hamburg M., Hutter M. [et al.]. A side-channel assisted cryptanalytic attack against QcBits // Cryptographic hardware and embedded systems — CHES 2017. Proc. 19th Int. Conf. (Taipei, China, Sept. 25–28, 2017). Cham: Springer, 2017. P. 3–23. (Lect. Notes Comput. Sci.; V. 10529). DOI: 10.1007/978-3-319-66787-4_1.
     
  107. Sim B.-Y., Kwon J., Choi K. Y. [et al.]. Novel side-channel attacks on quasi-cyclic code-based cryptography // IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019. V. 2019, No. 1. P. 180–212. DOI: 10.46586/tches.v2019. i4.180-212.
     
  108. Guo Q., Hlauschek C., Johansson T. [et al.]. Don’t reject this: Keyrecovery timing attacks due to rejection-sampling in HQC and BIKE // IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022. V. 2022, No. 3. P. 223–263. DOI: 10.46586/tches.v2022.i3.223-263.
     
  109. Sendrier N. Secure sampling of constant-weight words — Application to BIKE. San Diego, 2021. 16 p. (Cryptol. ePrint Archive / Univ. California; Pap. 2021/1631). URL: https://eprint.iacr.org/2021/1631  (accessed: 6.03.2026).
     
  110. Huang S., Sim Q. R., Chuengsatiansup C. [et al.]. Cache-timing attack against HQC. San Diego, 2023. 34 p. (Cryptol. ePrint Archive / Univ. California; Pap. 2023/102). URL: https://eprint.iacr.org/2023/102  (accessed: 6.03.2026).
     
  111. Goy G., Maillard J., Gaborit P. [et al.]. Single trace HQC shared key recovery with SASCA // IACR Trans. Cryptogr. Hardw. Embed. Syst. 2024. V. 2024, No. 2. P. 64–87. DOI: 10.46586/tches.v2024.i2.64-87.

Исследование выполнено в рамках государственного задания Института математики им. С. Л. Соболева (проект № FWNF–2022–0019), а также при финансовой поддержке Национального технологического центра цифровой криптографии. Дополнительных грантов на проведение или руководство этим исследованием получено не было.

Бахарев Александр Олегович
  1. Национальный технологический центр цифровой криптографии, 
    Раменский б-р, 1, 119607 Москва, Россия
  2. Новосибирский гос. университет, 
    ул. Пирогова, 2, 630090 Новосибирск, Россия

E-mail: a.bakharev@g.nsu.ru 

Воронов Денис Максимович
  1. Национальный технологический центр цифровой криптографии, 
    Раменский б-р, 1, 119607 Москва, Россия
  2. Новосибирский гос. университет, 
    ул. Пирогова, 2, 630090 Новосибирск, Россия

E-mail: d.voronov2@g.nsu.ru 

Коломеец Николай Александрович
  1. Национальный технологический центр цифровой криптографии, 
    Раменский б-р, 1, 119607 Москва, Россия
  2. Новосибирский гос. университет, 
    ул. Пирогова, 2, 630090 Новосибирск, Россия

E-mail: n.kolomeets@g.nsu.ru 

Токарева Наталья Николаевна
  1. Национальный технологический центр цифровой криптографии, 
    Раменский б-р, 1, 119607 Москва, Россия
  2. Новосибирский гос. университет, 
    ул. Пирогова, 2, 630090 Новосибирск, Россия
  3.  

E-mail: crypto1127@mail.ru 

Хильчук Ирина Сергеевна
  1. Национальный технологический центр цифровой криптографии, 
    Раменский б-р, 1, 119607 Москва, Россия
  2. Новосибирский гос. университет, 
    ул. Пирогова, 2, 630090 Новосибирск, Россия

E-mail: i.khilchuk@g.nsu.ru 

Шапоренко Александр Сергеевич
  1. Национальный технологический центр цифровой криптографии, 
    Раменский б-р, 1, 119607 Москва, Россия
  2. Новосибирский гос. университет, 
    ул. Пирогова, 2, 630090 Новосибирск, Россия

E-mail: a.shaporenko@g.nsu.ru 

Статья поступила 18 июня 2025 г. 
После доработки — 11 августа 2025 г.
Принята к публикации 22 сентября 2025 г.

Abstract:

This work of two parts provides a structured analytical review devoted to side-channel attacks on post-quantum code-based cryptosystems. The first part of the review presents a description of the main cryptographic primitives and algorithms used in code-based cryptosystems, as well as description of the most significant modern codebased cryptosystems: Classic McEliece, Codiaeum, Shipovnik, BIKE, and HQC. This survey is carried out within the scientific and research project «Kulminatsiya» of the National Technology Center for Digital Cryptography. 

Tab. 5, illustr. 14, bibliogr. 111.

References:
  1. P. W. Shor, Algorithms for quantum computation: Discrete logarithms and factoring, in Proc. 35th Annu. Symp. Foundations of Computer Science (Santa Fe, USA, Nov. 20–22, 1994) (IEEE Comput. Soc., Los Alamitos, CA, 1994), pp. 124–134, DOI: 10.1109/SFCS.1994.365700.
     
  2. H. Niederreiter, Knapsack-type cryptosystems and algebraic coding theory, Prob. Control Inf. Theory 15 (2), 157–166 (1986).
     
  3. R. J. McEliece, A public-key cryptosystem based on algebraic coding theory, DSN Progress Rep. 42–44, 114–116 (1978).
     
  4. D. J. Bernstein, T. Chou, C. Cid, [et al.], Classic McEliece. Specification (Univ. Ill. Chic., Chicago, 2022), URL: https://classic.mceliece.org/spec.html  (accessed: 6.03.2026).
     
  5. V. V. Vysotskaya and I. V. Chizhov, Post-quantum key encapsulation mechanism “Kodieum”, in Dokl. XXVI Int. Sci. Pract. Conf. RusCrypto (Moscow, Russia, Mar. 19–22, 2024) (RusCrypto, Moscow, 2024) [Russian], URL: https://ruscrypto.ru/resource/archive/rc2024/files/05_vysotskaya_chizhov.pdf  (accessed: 6.03.2026).
     
  6. V. V. Vysotskaya and I. V. Chizhov, Post-quantum signature scheme based on the Stern identification protocol, in Dokl. XXIII Int. Sci. Pract. Conf. RusCrypto (Moscow, Russia, Mar. 23–26, 2021) (RusCrypto, Moscow, 2021) [Russian], URL: https://ruscrypto.ru/resource/archive/rc2021/files/02_vysotskaya_chizhov.pdf  (accessed: 6.03.2026).
     
  7. E. Berlekamp, R. McEliece, and H. Van Tilborg, On the inherent intractability of certain coding problems (corresp.), IEEE Trans. Inf. Theory 24 (3), 384–386 (1978), DOI: 10.1109/TIT.1978.1055873.
     
  8. V. D. Goppa, A rational representation of codes and ($L, g$)-codes, Probl. Peredachi Inf. 7 (3), 41–49 (1971) [Russian] [Probl. Inf. Transm. 7 (3), 223–229 (1971)].
     
  9. D. Hofheinz, K. Hövelmanns, and E. Kiltz, A modular analysis of the Fujisaki–Okamoto transformation, in Theory of Cryptography, Proc. 15th Int. Conf. (Baltimore, MD, USA, Nov. 12–15, 2017), Pt. I (Springer, Cham, 2017), pp. 341–371 (Lect. Notes Comput. Sci., Vol. 10677), DOI: 10.1007/ 978-3-319-70500-2_12.
     
  10. N. Bindel, M. Hamburg, K. Hövelmanns, [et al.], Tighter proofs of CCA security in the quantum random oracle model, in Theory of Cryptography, Proc. 17th Int. Conf. (Nuremberg, Germany, Dec. 1–5, 2019), Pt. II (Springer, Cham, 2019), pp. 61–90 (Lect. Notes Comput. Sci., Vol. 11892), DOI: 10. 1007/978-3-030-36033-7_3.
     
  11. A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, in Advances in Cryptology — CRYPTO’86, Proc. Conf. Theory and Applications of Cryptographic Techniques (Santa Barbara, USA, Aug. 11–15, 1986) (Springer, Heidelberg, 1987), pp. 186–194 (Lect. Notes Comput. Sci., Vol. 263), DOI: 10.1007/3-540-47721-7_12.
     
  12. S. Gao and T. Mateer, Additive fast Fourier transforms over finite fields, IEEE Trans. Inf. Theory 56 (12), 6265–6272 (2010).
     
  13. N. Sendrier, Finding the permutation between equivalent linear codes: The support splitting algorithm, IEEE Trans. Inf. Theory 46 (4), 1193–1203 (2000).
     
  14. J. Stern, A method for finding codewords of small weight, in Coding Theory and Applications, Proc. 3rd Int. Colloq. (Toulon, France, Nov. 2–4, 1988) (Springer, Heidelberg, 1988), pp. 106–113 (Lect. Notes Comput. Sci., Vol. 388), DOI: 10.1007/BFb0019850.
     
  15. V. M. Sidelnikov and S. O. Shestakov, On insecurity of cryptosystems based on generalized Reed–Solomon codes, Diskretn. Mat. 4 (3), 57–63 (1992) [Russian] [Discrete Math. Appl. 2 (4), 439–444 (1992), DOI: 10.1515/dma. 1992.2.4.439].
     
  16. V. V. Davydov, V. V. Beliaev, E. F. Kustov, [et al.], Modern variations of McEliece and Niederreiter cryptosystems, J. Sci. Tech. Inf. Technol. Mech. Opt. 22 (2), 324–331 (2022), DOI: 10.17586/ 2226-1494-2022-22-2-324-331.
     
  17. V. M. Sidelnikov, A public-key cryptosystem based on binary Reed–Muller codes, Diskretn. Mat. 6 (2), 3–20 (1994) [Russian] [Discrete Math. Appl. 4 (3), 191–207 (1994), DOI: 10.1515/dma.1994.4.3.191].
     
  18. L. Minder and A. Shokrollahi, Cryptanalysis of the Sidelnikov cryptosystem, in Advances in Cryptology — EUROCRYPT 2007, Proc. 26th Annu. Int. Conf. Theory and Applications of Cryptographic Techniques (Barcelona, Spain, May 20–24, 2007) (Springer, Heidelberg, 2007), pp. 347–360 (Lect. Notes Comput. Sci., Vol. 4515), DOI: 10.1007/978-3-540-72540-4_20.
     
  19. R. Overbeck and N. Sendrier, Code-based cryptography, in Post-Quantum Cryptography (Springer, Heidelberg, 2009), pp. 95–145, DOI: 10.1007/ 978-3-540-88702-7_4.
     
  20. M. A. González de la Torre, L. Hernández Encinas, and J. I. Sánchez García, Structural analysis of code-based algorithms of the NIST postquantum call, Logic J. IGPL 33 (5), ID jzae071 (2024), DOI: 10.1093/ jigpal/jzae071. 
     
  21. G. Alagic, M. Bros, P. Ciadoux, [et al.], Status report on the fourth round of the NIST post-quantum cryptography standardization process (NIST, Gaithersburg, MD, 2025), DOI: 10.6028/NIST.IR.8545.
     
  22. G. Alagic, D. C. Apon, D. Cooper, [et al.], Status report on the third round of the NIST post-quantum cryptography standardization process (NIST, Gaithersburg, MD, 2022), DOI: 10.6028/NIST.IR.8413-upd1.
     
  23. G. Alagic, J. Alperin-Sheriff, D. C. Apon, [et al.], Status report on the second round of the NIST post-quantum cryptography standardization process (NIST, Gaithersburg, MD, 2020), DOI: 10.6028/NIST.IR.8309.
     
  24. M. R. Albrecht, D. J. Bernstein, T. Chou, [et al.], Classic McEliece, in Post-Quantum Cryptography. Round 3 Submissions (NIST, Gaithersburg, MD, 2020), URL: https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions  (accessed: 6.03.2026).
     
  25. D. J. Bernstein, T. Chou, C. Cid, [et al.], Classic McEliece, in PostQuantum Cryptography. Round 4 Submissions (NIST, Gaithersburg, MD, 2022), URL: csrc.nist.gov/projects/post-quantum-cryptography/ post-quantum-cryptography-standardization/round-4-submissions (accessed: 6.03.2026).
     
  26. D. J. Bernstein, T. Chou, C. Cid, [et al.], Classic McEliece. Implementation (Univ. Ill. Chic., Chicago, 2022), URL: https://classic.mceliece.org/impl.html  (accessed: 6.03.2026).
     
  27. CIRCL: Cloudflare interoperable reusable cryptographic library (Cloudflare, San Francisco, 2023), URL: https://github.com/cloudflare/circl  (accessed: 6.03.2026).
     
  28. Implement Classic McEliece (Cloudflare, San Francisco, 2022), URL: https://github.com/cloudflare/circl/pull/378  (accessed: 6.03.2026).
     
  29. Open Quantum Safe liboqs: C library for prototyping and experimenting with quantum-resistant cryptography, 2025, URL: https://github.com/open-quantum-safe/liboqs/tree/main/src/kem/classic_mceliece  (accessed: 6.03.2026).
     
  30. T. Wiggers and D. Stebila, Clean, portable, tested implementations of postquantum cryptography, 2023, URL: https://github.com/PQClean/PQClean  (accessed: 6.03.2026).
     
  31. A. Hülsing, K.-C. Ning, P. Schwabe, F. Weber, and P. R. Zimmermann, Post-quantum WireGuard, in Proc. 42nd IEEE Symp. Security and Privacy (San Francisco, USA, May24–27, 2021) (IEEE Comput. Soc., Los Alamitos, CA, 2021), pp. 304–321, DOI: 10.1109/SP40001.2021.00030.
     
  32. Software co-design acceleration of Classic McEliece key encapsulation mechanism, 2021, URL: https://github.com/beatsnbytes/classic_mceliece  (accessed: 6.03.2026).
     
  33. Discrete math final project for 2018 — Implementation of the McEliece cryptosystem, 2018, URL: https://github.com/arpanrau/McEliece-Implementation  (accessed: 6.03.2026).
     
  34. T. Nießen, Purely educational PoC design and implementation of a PQC key exchange using Classic McEliece, 2019, URL: https://github.com/tniessen/node-mceliece-key-exchange-poc  (accessed: 6.03.2026).
     
  35. D. J. Bernstein, The McEliece cryptosystem, in Talks 1st Post-Quantum Cryptography Summer School in Universities (Chengdu, China, July 17, 2024), URL: https://cr.yp.to/talks/2024.07.17/slides-djb-20240717-mceliece-4x3.pdf  (accessed: 6.03.2026).
     
  36. Information technology. Cryptographic data security. Hash function, GOST R 34.11—2018 (Standartinform, Moscow, 2018) [Russian].
     
  37. V. V. Vysotskaya and I. V. Chizhov, Design criteria of a new code-based KEM, J. Comput. Virol. Hacking Tech. 20 (3), 497–511 (2024), DOI: 10. 1007/s11416-024-00527-z.
     
  38. J. Ge, H. Liao, and R. Xue, Measure-rewind-extract: Tighter proofs of oneway to hiding and CCA security in the quantum random oracle model, in Advances in Cryptology — ASIACRYPT 2024, Proc. 30th Int. Conf. Theory and Application of Cryptology and Information Security (Kolkata, India, Dec. 9– 13, 2024), Pt. IV (Springer, Singapore, 2024), pp. 3–34 (Lect. Notes Comput. Sci., Vol. 15487), DOI: 10.1007/978-981-96-0894-2_1.
     
  39. J. Stern, A new identification scheme based on syndrome decoding, in Advances in Cryptology — CRYPTO’93, Proc. 13th Annu. Int. Cryptology Conf. (Santa Barbara, USA, Aug. 22–26, 1993) (Springer, Heidelberg, 1994), pp. 13–21 (Lect. Notes Comput. Sci., Vol. 773), DOI: 10.1007/ 3-540-48329-2_2.
     
  40. V. V. Vysotskaya, Chizhov I. V. The security of the code-based signature scheme based on the Stern identification protocol, Prikl. Diskretn. Mat., No. 57, 67–90 (2022) [Russian], DOI: 10.17223/20710410/57/5.
     
  41. K. D. Tsaregorodtsev, Ternary forking lemma and its application to the analysis of one code-based signature, Prikl. Diskretn. Mat., No. 59, 58–71 (2023) [Russian], DOI: 10.17223/20710410/59/3.
     
  42. V. V. Vysotskaya and D. K. Das, Analyzing the resistance of the postquantum signature “Shipovnik” to attacks against hash functions, in Dokl. XXVI Int. Sci. Pract. Conf. RusCrypto (Moscow, Russia, Mar. 19–22, 2024) (RusCrypto, Moscow, 2024), URL: https://ruscrypto.ru/resource/archive/rc2024/files/05_vysotskaya_das.pdf  (accessed: 6.03.2026).
     
  43. A public implementation of the signature algorithm “Shipovnik” for TK26 (QApp, Moscow, 2023) [Russian], URL: https://github.com/QAPP-tech/shipovnik_tc26  (accessed: 6.03.2026).
     
  44. E. Prange, The use of information sets in decoding cyclic codes, IRE Trans. Inf. Theory 8 (5), 5–9 (1962), DOI: 10.1109/TIT.1962.1057777.
     
  45. N. Sendrier, Decoding one out of many, in Post-Quantum Cryptography, Proc. 4th Int. Workshop (Taipei, China, Nov. 29 – Dec. 2, 2011) (Springer, Heidelberg, 2011), pp. 51–67 (Lect. Notes Comput. Sci., Vol. 7071), DOI: 10.1007/978-3-642-25405-5_4.
     
  46. C. Löndahl, T. Johansson, M. K. Shooshtari, M. Ahmadian-Attari, and M. R. Aref, Squaring attacks on McEliece public-key cryptosystems using quasi-cyclic codes of even dimension, Des. Codes Cryptogr. 80 (2), 359–377 (2016), DOI: 10.1007/s10623-015-0099-x.
     
  47. Q. Guo, T. Johansson, and C. Löndahl, A new algorithm for solving ringlpn with a reducible polynomial, IEEE Trans. Inf. Theory 61 (11), 6204–6212 (2015), DOI: 10.1109/TIT.2015.2475738.
     
  48. Q. Guo, T. Johansson, and P. Stankovski, A key recovery attack on MDPC with CCA security using decoding errors, in Advances in Cryptology — ASIACRYPT 2016, Proc. 22nd Int. Conf. Theory and Application of Cryptology and Information Security (Hanoi, Vietnam, Dec. 4–8, 2016), Pt. I (Springer, Heidelberg, 2016), pp. 789–815 (Lect. Notes Comput. Sci., Vol. 10031), DOI: 10.1007/978-3-662-53887-6_29.
     
  49. A. Nilsson, T. Johansson, and P. S. Wagner, Error amplification in codebased cryptography, IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019 (1), 238–258 (2019), DOI: 10.46586/tches.v2019.i1.238-258.
     
  50. C. Aguilar-Melchor, O. Blazy, J.-C. Deneuville, [et al.], Efficient encryption from random quasi-cyclic codes, IEEE Trans. Inf. Theory 64 (5), 3927–3943 (2018), DOI: 10.1109/TIT.2018.2804444.
     
  51. P. Gaborit, C. Aguilar-Melchor, N. Aragon, [et al.], HQC cryptosystem specification (NIST, Gaithersburg, MD, 2025), URL: https://pqc-hqc.org/doc/hqc_specifications_2025_08_22.pdf  (accessed: 6.03.2026).
     
  52. P. Gaborit, C. Aguilar-Melchor, N. Aragon, [et al.], HQC. NIST submission packages, 2025, URL: https://pqc-hqc.org/doc/archive_submissions.zip  (accessed: 6.03.2026).
     
  53. P. Gaborit, C. Aguilar-Melchor, N. Aragon, [et al.], HQC. Optimized implementation, 2024, URL: https://web.archive.org/web/20250712014511/pqc-hqc.org/doc/hqc-optimized-implementation_2024-10-30.zip  (accessed: 6.03.2026).
     
  54. N. Aragon, P. Barreto, S. Bettaieb, [et al.], BIKE cryptosystem specification (NIST, Gaithersburg, MD, 2024), URL: https://bikesuite.org/files/v5.2/BIKE_Spec.2024.10.10.1.pdf  (accessed: 6.03.2026).
     
  55. R. Misoczki, J.-P. Tillich, N. Sendrier, [et al.], MDPC-McEliece: New McEliece variants from moderate density parity-check codes, in Proc. 2013 IEEE Int. Symp. Information Theory (Istanbul, Turkey, July 7–12, 2013) (IEEE, Piscataway, 2013), pp. 2069–2073, DOI: 10.1109/ISIT.2013.6620590.
     
  56. N. Aragon, P. Barreto, S. Bettaieb, [et al.], BIKE. Reference implementation, 2024, URL: https://bikesuite.org/reference.html  (accessed: 6.03.2026).
     
  57. Additional implementation of BIKE (AWS Labs, Seattle, 2024), URL: https://github.com/awslabs/bike-kem  (accessed: 6.03.2026).
     
  58. S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards (Springer, New York, 2007), DOI: 10.1007/ 978-0-387-38162-6.
     
  59. F. X. Standaert, Introduction to side-channel attacks, in Secure Integrated Circuits and Systems (Springer, New York, 2010), pp. 27–42, DOI: 10.1007/ 978-0-387-71829-3_2.
     
  60. E. Peeters, F. X. Standaert, and J. J. Quisquater, Power and electromagnetic analysis: Improved model, consequences and comparisons, Integration 40 (1), 52–60 (2007), DOI: 10.1016/j.vlsi.2005.12.013.
     
  61. F. X. Standaert, F. Mace, E. Peeters, [et al.], Updates on the security of FPGAs against power analysis attacks, in Reconfigurable Computing: Architectures and Applications, Rev. Sel. Pap. 2nd Int. Workshop (Delft, The Netherlands, Mar. 1–3, 2006) (Springer, Heidelberg, 2006), pp. 335–346 (Lect. Notes Comput. Sci., Vol. 3985), DOI: 10.1007/11802839_42.
     
  62. A. E. Zhukov, Side channel attacks, Inf. Secur., Inside, No. 5, 28–33 (2010) [Russian].
     
  63. S. Chari, J. R. Rao, and P. Rohatgi, Template attacks, in Cryptographic Hardware and Embedded Systems— CHES 2002, Rev. Pap. 4th Int. Workshop (Redwood Shores, CA, USA, Aug. 13–15, 2002) (Springer, Heidelberg, 2003), pp. 13–28 (Lect. Notes Comput. Sci., Vol. 2523), DOI: 10.1007/ 3-540-36400-5_3.
     
  64. R. Anderson and M. Kuhn, Tamper resistance — A cautionary note, in Proc. 2nd USENIX Workshop Electronic Commerce (Oakland, CA, USA, Nov. 18–21, 1996) (Carnegie Mellon Univ., Pittsburgh, PA, 1996), pp. 1–11.
     
  65. P. Tuyls, G.-J. Schrijen, B. Škorić, [et al.], Read-proof hardware from protective coatings, in Cryptographic Hardware and Embedded Systems— CHES 2006, Proc. 8th Int. Workshop (Yokohama, Japan, Oct. 10–13, 2006) (Springer, Heidelberg, 2006), pp. 369–383 (Lect. Notes Comput. Sci., Vol. 4249), DOI: 10.1007/11894063_29.
     
  66. A. Shamir, Protecting smart cards from passive power analysis with detached power supplies, in Cryptographic Hardware and Embedded Systems— CHES 2000, Proc. 2nd Int. Workshop (Worcester, MA, USA, Aug. 17–18, 2000) (Springer, Heidelberg, 2000), pp. 71–77 (Lect. Notes Comput. Sci., Vol. 1965), DOI: 10.1007/3-540-44499-8_5.
     
  67. L. Goubin and J. Patarin, DES and differential power analysis. The “Duplication” method, in Cryptographic Hardware and Embedded Systems, Proc. 1st Int. Workshop (Worcester, MA, USA, Aug. 12–13, 1999) (Springer, Heidelberg, 1999), pp. 158–172 (Lect. Notes Comput. Sci., Vol. 1717), DOI: 10.1007/3-540-48059-5_15.
     
  68. D. May, H. L. Muller, and N. P. Smart, Random register renaming to foil DPA, in Cryptographic Hardware and Embedded Systems— CHES 2001, Proc. 3rd Int. Workshop (Paris, France, May 14–16, 2001) (Springer, Heidelberg, 2001), pp. 28–38 (Lect. Notes Comput. Sci., Vol. 2162), DOI: 10.1007/ 3-540-44709-1_4.
     
  69. S. Chari, S. C. Jutla, R. J. Rao, [et al.], Towards sound approaches to counteract power-analysis attacks, in Advances in Cryptology — CRYPTO’99, Proc. 19th Annu. Int. Cryptology Conf. (Santa Barbara, USA, Aug. 15–19, 1999) (Springer, Heidelberg, 1999), pp. 398–412 (Lect. Notes Comput. Sci., Vol. 1666), DOI: 10.1007/3-540-48405-1_26.
     
  70. R. Ueno, N. Homma, and T. Aoki, Toward more efficient DPA-resistant AES hardware architecture based on threshold implementation, in Constructive Side-Channel Analysis and Secure Design, Rev. Sel. Pap. 8th Int. Workshop (Paris, France, Apr. 13–14, 2017) (Springer, Cham, 2017), pp. 50–64 (Lect. Notes Comput. Sci., Vol. 10348), DOI: 10.1007/978-3-319-64647-3_ 4.
     
  71. P. Schwabe and K. Stoffelen, All the AES you need on Cortex-M3 and M4, in Selected Areas in Cryptography — SAC 2016, Rev. Sel. Pap. 23rd Int. Conf. (St. John’s, NL, Canada, Aug. 10–12, 2016) (Springer, Cham, 2016), pp. 180–194 (Lect. Notes Comput. Sci., Vol. 10532), DOI: 10.1007/ 978-3-319-69453-5_10.
     
  72. K. Tiri, M. Akmal, and I. Verbauwhede, A dynamic and differential CMOS logic with signal independent power consumption to withstand differential power analysis on smart cards, in Proc. 28th European Solid-State Circuits Conf. (Florence, Italy, Sept. 24–26, 2002) (IEEE, Piscataway, 2002), pp. 403–406.
     
  73. N. Patterson, The algebraic decoding of Goppa codes, IEEE Trans. Inf. Theory 21 (2), 203–207 (1975), DOI: 10.1109/TIT.1975.1055350.
     
  74. F. Strenzke, E. Tews, G. Molter, [et al.], Side channels in the McEliece PKC, in Post-Quantum Cryptography, Proc. 2nd Int. Workshop (Cincinnati, OH, USA, Oct. 17–19, 2008) (Springer, Heidelberg, 2008), pp. 216–229 (Lect. Notes Comput. Sci., Vol. 5299), DOI: 10.1007/978-3-540-88403-3_15.
     
  75. R. Avanzi, S. Hoerder, D. Page, [et al.], Side-channel attacks on the McEliece and Niederreiter public-key cryptosystems, J. Cryptogr. Eng. 1 (4), 271–281 (2011), DOI: 10.1007/s13389-011-0024-9.
     
  76. A. Shoufan, F. Strenzke, H. G. Molter, [et al.], A timing attack against Patterson algorithm in the McEliece PKC, in Information Security and Cryptology — ICISC 2009, Rev. Sel. Pap. 12th Int. Conf. (Seoul, Korea, Dec. 2–4, 2009) (Springer, Heidelberg, 2010), pp. 161–175 (Lect. Notes Comput. Sci., Vol. 5984), DOI: 10.1007/978-3-642-14423-3_12.
     
  77. F. Strenzke, A timing attack against the secret permutation in the McEliece PKC, in Post-Quantum Cryptography, Proc. 3rd Int. Workshop (Darmstadt, Germany, May 25–28, 2010) (Springer, Heidelberg, 2010), pp. 95–107 (Lect. Notes Comput. Sci., Vol. 6061), DOI: 10.1007/978-3-642-12929-2_8.
     
  78. F. Strenzke, Timing attacks against the syndrome inversion in code-based cryptosystems, in Post-Quantum Cryptography, Proc. 5th Int. Workshop (Limoges, France, June 4–7, 2013) (Springer, Heidelberg, 2013), pp. 217–230 (Lect. Notes Comput. Sci., Vol. 7932).
     
  79. S. Heyse, A. Moradi, and C. Paar, Practical power analysis attacks on software implementations of McEliece, in Post-Quantum Cryptography, Proc. 3rd Int. Workshop (Darmstadt, Germany, May 25–28, 2010) (Springer, Heidelberg, 2010), pp. 108–125 (Lect. Notes Comput. Sci., Vol. 6061), DOI: 10.1007/978-3-642-12929-2_9.
     
  80. H. G. Molter, M. Stöttinger, A. Shoufan, [et al.], A simple power analysis attack on a McEliece cryptoprocessor, J. Cryptogr. Eng. 1 (1), 29–36 (2011), DOI: 10.1007/s13389-011-0001-3.
     
  81. A. Shoufan, T. Wink, H. G. Molter, [et al.], A novel processor architecture for McEliece cryptosystem and FPGA platforms, in Proc. 20th IEEE Int. Conf. Application-Specific Systems, Architectures and Processors (Boston, MA, USA, July 7–9, 2009) (IEEE Comput. Soc., Los Alamitos, CA, 2009), pp. 98–105, DOI: 10.1109/ASAP.2009.29.
     
  82. S. Heyse, I. Von Maurich, and T. Güneysu, Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices, in Cryptographic Hardware and Embedded Systems— CHES 2013, Proc. 15th Int. Workshop (Santa Barbara, USA, Aug. 20–23, 2013) (Springer, Heidelberg, 2013), pp. 273–292 (Lect. Notes Comput. Sci., Vol. 8086), DOI: 10.1007/ 978-3-642-40349-1_16.
     
  83. I. Von Maurich, and T. Güneysu, Towards side-channel resistant implementations of QC-MDPC McEliece encryption on constrained devices, in PostQuantum Cryptography, Proc. 6th Int. Workshop (Waterloo, ON, Canada, Oct. 1–3, 2014) (Springer, Cham, 2014), pp. 266–282 (Lect. Notes Comput. Sci., Vol. 8772), DOI: 10.1007/978-3-319-11659-4_16.
     
  84. I. Von Maurich, and T. Güneysu, Lightweight code-based cryptography: QC-MDPC McEliece encryption on reconfigurable devices, in 2014 Design, Automation and Test in Europe Conf. (Dresden, Germany, Mar. 24–28, 2014) (IEEE, Piscataway, 2014), pp. 1–6, DOI: 10.7873/DATE.2014.051.
     
  85. C. Chen, T. Eisenbarth, and I. Von Maurich, [et al.], Differential power analysis of a McEliece cryptosystem, in Applied Cryptography and Network Security, Rev. Sel. Pap. 13th Int. Conf. (New York, USA, June 2–5, 2015) (Springer, Cham, 2015), pp. 538–556 (Lect. Notes Comput. Sci., Vol. 9092).
     
  86. T. Schamberger, J. Renner, G. Sigl, [et al.], A power side-channel attack on the CCA2-secure HQC KEM, in Smart Card Research and Advanced Applications, Rev. Sel. Pap. 19th Int. Conf. (Lübeck, Germany, Nov. 18–19, 2020) (Springer, Cham, 2020), pp. 119–134 (Lect. Notes Comput. Sci., Vol. 12609), DOI: 10.1007/978-3-030-68487-7_8.
     
  87. C. Hlauschek, N. Lahr, and R. L. Schröder, On the timing leakage of the deterministic re-encryption in HQC KEM (Univ. California, San Diego, 2021) (Cryptol. ePrint Archive, Pap. 2021/1485/20211115:124514), URL: https://eprint.iacr.org/archive/2021/1485/20211115:124514  (accessed: 6.03.2026).
     
  88. G. Wafo-Tapa, S. Bettaieb, L. Bidoux, [et al.], A practicable timing attack against HQC and its countermeasure, Adv. Math. Commun. 16 (3), 621– 642 (2022), DOI: 10.3934/amc.2020126.
     
  89. T. B. Paiva and R. Terada, A timing attack on the HQC encryption scheme, in Selected Areas in Cryptography — SAC 2019, Rev. Sel. Pap. 26th Int. Conf. (Waterloo, ON, Canada, Aug. 12–16, 2019) (Springer, Cham, 2019), pp. 551–573 (Lect. Notes Comput. Sci., Vol. 11959), DOI: 10.1007/ 978-3-030-38471-5_22.
     
  90. N. Lahr, R. Niederhagen, R. Petri, [et al.], Side channel information set decoding using iterative chunking: Plaintext recovery from the “Classic McEliece” hardware reference implementation, in Advances in Cryptology — ASIACRYPT 2020, Proc. 26th Int. Conf. Theory and Application of Cryptology and Information Security (Daejeon, South Korea, Dec. 7–11, 2020), Pt. I (Springer, Cham, 2020), pp. 881–910 (Lect. Notes Comput. Sci., Vol. 12491), DOI: 10.1007/978-3-030-64837-4_29.
     
  91. Q. Guo, A. Johansson, and T. Johansson, A key-recovery side-channel attack on Classic McEliece implementations, IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022 (4), 800–827 (2022), DOI: 10.46586/tches.v2022.i4. 800-827.
     
  92. S. Pircher, J. Geier, J. Danner, [et al.], Key-recovery fault injection attack on the Classic McEliece KEM, in Code-Based Cryptography, Rev. Sel. Pap. 10th Int. Workshop (Trondheim, Norway, May 29–30, 2022) (Springer, Cham, 2022), pp. 37–61 (Lect. Notes Comput. Sci., Vol. 13839), DOI: 10. 1007/978-3-031-29689-5_3.
     
  93. V. Grosso, P.-L. Cayrel, B. Colombier, [et al.], Punctured syndrome decoding problem: Efficient side-channel attacks against Classic McEliece, in Constructive Side-Channel Analysis and Secure Design, Proc. 14th Int. Workshop (Munich, Germany, Apr. 3–4, 2023) (Springer, Cham, 2023), pp. 170–192 (Lect. Notes Comput. Sci., Vol. 13979), DOI: 10.1007/ 978-3-031-29497-6_9.
     
  94. M. Brinkmann, C. Chuengsatiansup, A. May, [et al.], Leaky McEliece: Secret key recovery from highly erroneous side-channel information, IACR Trans. Cryptogr. Hardw. Embed. Syst. 2025 (2), 94–125 (2025), DOI: 10. 46586/tches.v2025.i2.94-125.
     
  95. S. Bitzer, J. Delvaux, E. Kirshanova, [et al.], How to lose some weight: A practical template syndrome decoding attack, Des. Codes Cryptogr. 93 (7), 2503–2519 (2025), DOI: 10.1007/s10623-025-01603-1.
     
  96. V.-F. Drăgoi, B. Colombier, N. Vallet, [et al.], Full key-recovery cubictime template attack on Classic McEliece decapsulation (Univ. California, San Diego, 2024) (Cryptol. ePrint Archive, Pap. 2024/1694), URL: https://eprint.iacr.org/2024/1694  (accessed: 6.03.2026).
     
  97. R. Ueno, K. Xagawa, Y. Tanaka, [et al.], Curse of re-encryption: A generic power/EM analysis on post-quantum KEMs, IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022 (1), 296–322 (2022), DOI: 10.46586/tches.v2022.i1. 296-322.
     
  98. D. J. Bernstein, T. Lange, and C. Peters, Attacking and defending the McEliece cryptosystem, in Post-Quantum Cryptography, Proc. 2nd Int. Workshop (Cincinnati, OH, USA Oct. 17–19, 2008) (Springer, Heidelberg, 2008), pp. 31–46 (Lect. Notes Comput. Sci., Vol. 5299), DOI: 10.1007/ 978-3-540-88403-3_3.
     
  99. A. Canteaut and F. Chabaud, A new algorithm for finding minimumweight words in a linear code: Application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511, IEEE Trans. Inf. Theory 44 (1), 367–378 (1998), DOI: 10.1109/18.651067.
     
  100. A. Canteaut and N. Sendrier, Cryptanalysis of the original McEliece cryptosystem, in Advances in Cryptology — ASIACRYPT’98, Proc. Int. Conf. Theory and Application of Cryptology and Information Security (Beijing, China, Oct. 18–22, 1998) (Springer, Heidelberg, 1998), pp. 187–199 (Lect. Notes Comput. Sci., Vol. 1514), DOI: 10.1007/3-540-49649-1_16.
     
  101. E. Eaton, M. Lequesne, A. Parent, [et al.], QC-MDPC: A timing attack and a CCA2 KEM, in Post-Quantum Cryptography, Proc. 9th Int. Conf. (Fort Lauderdale, FL, USA, Apr. 9–11, 2018) (Springer, Cham, 2018), pp. 47–76 (Lect. Notes Comput. Sci., Vol. 10786), DOI: 10.1007/978-3-319-79063-3_ 3.
     
  102. N. Drucker, S. Gueron, and D. Kostic, QC-MDPC decoders with several shades of gray, in Post-Quantum Cryptography, Proc. 11th Int. Conf. (Paris, France, Apr. 15–17, 2020) (Springer, Cham, 2020), pp. 35–50 (Lect. Notes Comput. Sci., Vol. 12100), DOI: 10.1007/978-3-030-44223-1_3.
     
  103. T. Schamberger, L. Holzbaur, J. Renner, [et al.], A power side-channel attack on the Reed–Muller Reed–Solomon version of the HQC cryptosystem, in Post-Quantum Cryptography, Proc. 13th Int. Conf. (Eindhoven, The Netherlands, Sept. 28-30, 2022) (Springer, Cham, 2022), pp. 327–352 (Lect. Notes Comput. Sci., Vol. 13512), DOI: 10.1007/978-3-031-17234-2_16.
     
  104. G. Goy, A. Loiseau, and P. Gaborit, A new key recovery side-channel attack on HQC with chosen ciphertext, in Post-Quantum Cryptography, Proc. 13th Int. Conf. (Eindhoven, The Netherlands, Sept. 28–30, 2022) (Springer, Cham, 2022), pp. 353–371 (Lect. Notes Comput. Sci., Vol. 13512), DOI: 10.1007/978-3-031-17234-2_17.
     
  105. T. Chou, QcBits: Constant-time small-key code-based cryptography, in Cryptographic Hardware and Embedded Systems— CHES 2016, Proc. 18th Int. Conf. (Santa Barbara, USA, Aug. 17–19, 2016) (Springer, Heidelberg, 2016), pp. 280–300 (Lect. Notes Comput. Sci., Vol. 9813), DOI: 10.1007/ 978-3-662-53140-2_14. 
     
  106. M. Rossi, M. Hamburg, M. Hutter, [et al.], A side-channel assisted cryptanalytic attack against QcBits, in Cryptographic Hardware and Embedded Systems— CHES 2017, Proc. 19th Int. Conf. (Taipei, China, Sept. 25–28, 2017) (Springer, Cham, 2017), pp. 3–23 (Lect. Notes Comput. Sci., Vol. 10529), DOI: 10.1007/978-3-319-66787-4_1.
     
  107. B.-Y. Sim, J. Kwon, K. Y. Choi, [et al.], Novel side-channel attacks on quasi-cyclic code-based cryptography, IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019 (1), 180–212 (2019), DOI: 10.46586/tches.v2019.i4. 180-212. 
     
  108. Q. Guo, C. Hlauschek, T. Johansson, [et al.], Don’t reject this: Keyrecovery timing attacks due to rejection-sampling in HQC and BIKE, IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022 (3), 223–263 (2022), DOI: 10. 46586/tches.v2022.i3.223-263.
     
  109. N. Sendrier, Secure sampling of constant-weight words — Application to BIKE (Univ. California, San Diego, 2021) (Cryptol. ePrint Archive, Pap. 2021/1631), URL: https://eprint.iacr.org/2021/1631  (accessed: 6.03.2026). 
     
  110. S. Huang, Q. R. Sim, C. Chuengsatiansup, [et al.], Cache-timing attack against HQC (Univ. California, San Diego, 2023) (Cryptol. ePrint Archive, Pap. 2023/102), URL: https://eprint.iacr.org/2023/102  (accessed: 6.03.2026).
     
  111. G. Goy, J. Maillard, P. Gaborit, [et al.], Single trace HQC shared key recovery with SASCA, IACR Trans. Cryptogr. Hardw. Embed. Syst. 2024 (2), 64–87 (2024), DOI: 10.46586/tches.v2024.i2.64-87.