The three-volume proceedings LNCS 12491, 12492, and 12493 constitutes the proceedings of the 26th International Conferen

*316*
*96*
*22MB*

*English*
*Pages 914
[927]*
*Year 2021*

*Table of contents : PrefaceOrganizationAbstracts of Invited TalksUnlikely Friendships: The Fruitful Interplay of Cryptographic AssumptionsApproximate Computation on Encrypted DataContents – Part IContents – Part IIContents – Part IIIBest Paper AwardsFinding Collisions in a Quantum World: Quantum Black-Box Separation of Collision-Resistance and One-Wayness 1 Introduction 1.1 Background 1.2 Our Results 1.3 Technical Overview 1.4 Related Work 1.5 Paper Organization 2 Preliminaries 2.1 Quantum Algorithms 2.2 Technical Lemmas 3 Quantum Primitives and Black-Box Quantum Reductions 3.1 Concrete Primitives 4 Impossibility of Reduction from QC-qCRH to CC-qOWP 4.1 The Technically Hardest Part 4.2 Proof of Theorem 3 5 Impossibility of Reduction from QC-qCRHto CC-qTDP ReferencesNew Results on Gimli: Full-Permutation Distinguishers and Improved Collisions 1 Introduction 2 Preliminaries 2.1 The Gimli Permutation 2.2 Previous Work 3 Internal Symmetry Distinguishers Against Gimli 3.1 23-Round Practical Distinguisher 3.2 Distinguisher on Full Gimli and Extensions 4 Classical Collisions on Reduced-Round Gimli-Hash 4.1 The Gimli-Hash Function 4.2 SP-Box Equations and How to Solve Them 4.3 Practical 8-Round Collision Attack 4.4 Semi-free Start Collisions on Reduced-Round Gimli 5 Better Quantum Collision Attacks 5.1 Tools, Model and Complexity Estimates 5.2 Example 5.3 Quantum Collision Bounds and Quantum Attacks 5.4 Quantum Collision Attacks on Gimli 6 Statistical Analyses of Gimli 6.1 Linear Cryptanalysis 6.2 Differential-Linear Cryptanalysis 7 Conclusion ReferencesSQISign: Compact Post-quantum Signatures from Quaternions and Isogenies 1 Introduction 2 Preliminaries 2.1 The Deuring Correspondence 2.2 Algorithmic Building Blocks 3 New Identification Protocol and Signature Scheme 3.1 An Identification Protocol 3.2 Soundness 3.3 Zero-Knowledge: Two Insecure Approaches 3.4 The Signature Scheme 4 Eichler Orders and the Deuring Correspondence 4.1 Commutative Isogeny Diagrams 4.2 The Endomorphism Ring O 4.3 Ideal Class Sets of Eichler Orders 5 New Generalized KLPT Algorithm 5.1 The Generic Algorithm 5.2 On the Length of the Solution 6 Application to the Signature Scheme: The SigningKLPT Algorithm 6.1 The Randomization Procedure 6.2 Eichler Modular Constraint 6.3 Suitable Values for e0 and e1 6.4 Termination, Correctness and Complexity 7 Zero-Knowledge 7.1 On the Distribution of Signatures 7.2 Hardness Assumption for Zero-Knowledge 8 Efficiency 8.1 Translating Ideals to Isogenies 8.2 Choosing the Parameters 8.3 Defining the Key Space 8.4 The Concrete Protocol 8.5 Response and Verification 8.6 The Concrete Instantiation 9 Conclusion ReferencesEncryption SchemesPublic-Key Generation with Verifiable Randomness 1 Introduction 2 Preliminaries 3 Model 3.1 Syntax 3.2 Security 4 Generic Constructions 4.1 Key-Generation Protocol with Verifiable Randomness for Probabilistic Circuits 4.2 RSA-Key Generation Protocol with Verifiable Randomness 5 Instantiation of the RSA-Key Generation Protocol 5.1 Zero-Knowledge Argument with the Dodis-Yampolskiy PRF 5.2 Logarithmic-Size Argument of Double Discrete Logarithm 5.3 An Intermediate Protocol in G2 5.4 Protocol for R0 ReferencesSimulation-Sound Arguments for LWE and Applications to KDM-CCA2 Security 1 Introduction 1.1 Our Contributions 1.2 Technical Overview 1.3 Related Work 1.4 Organization 2 Background 2.1 Lattices 2.2 Correlation Intractable Hash Functions 2.3 Admissible Hash Functions 2.4 Trapdoor -protocols 2.5 R-Lossy Public-Key Encryption With Efficient Opening 3 Direct Construction of Unbounded Simulation-Sound NIZK Arguments 3.1 An RBM-Lossy PKE Scheme from LWE 3.2 A Generic Construction from Trapdoor -Protocols and RBM-lossy PKE 4 Tightly Secure Simulation-Sound Arguments 4.1 An RPRF-Lossy PKE Scheme 4.2 Unbounded Simulation-Sound Argument 5 Trapdoor -Protocols for ACPS Ciphertexts ReferencesCCA-Secure (Puncturable) KEMs from Encryption with Non-Negligible Decryption Errors 1 Introduction 1.1 Contribution 2 Preliminaries 2.1 Public-Key Encryption and Key-Encapsulation Mechanisms 2.2 Identity-Based Encryption 3 CCA Security from Non-Negligible Correctness Errors 3.1 On the Correctness Error 3.2 Compiler for Immunizing Decryption Errors 3.3 Transformations T and U 3.4 Non Black-Box Use: The Transformation T 3.5 Comparison of the Two Approaches 4 Our Transform in Practice 4.1 Code-Based KEMs 4.2 Lattice-Based KEMs 4.3 Implementation Aspects 5 Application to Bloom Filter KEMs 5.1 IBE with Negligible from Non-Negligible Correctness Error 5.2 BFKEM from IBE with Negligible Correctness Error 5.3 Comparison of BFKEM Instantiations ReferencesPossibility and Impossibility Results for Receiver Selective Opening Secure PKE in the Multi-challenge Setting 1 Introduction 1.1 Our Results 1.2 Technical Overview 1.3 Related Works 1.4 Roadmap 2 Preliminaries 2.1 Assumptions and Cryptographic Primitives 2.2 PKE with RSOk Security 3 Lower Bound for PKE with RSOk Security 4 RSOk Security RSOk+1 Security 5 RSOk Secure PKE with (Nearly) Optimal Secret Key Length 5.1 SIM-RSOk-CPA Secure PKE with (Nearly) Optimal Secret Key Length 5.2 SIM-RSOk-CCA Secure PKE with (Nearly) Optimal Secret Key Length 5.3 Proof of Theorem5.1 5.4 Proof of Theorem5.2 6 Conclusion ReferencesSecurity Reductions for White-Box Key-Storage in Mobile Payments 1 Introduction 2 Preliminaries and Notation 3 Hardware-Bound White-Box Key Derivation Function 3.1 Hardware Module 3.2 Construction of a WKDF 4 Secure Payment Application 4.1 Security of White-Box Payment Applications 4.2 Construction of White-Box Payment Scheme ReferencesCircular Security Is Complete for KDM Security 1 Introduction 1.1 Background 1.2 Our Results 1.3 Paper Organization 2 Technical Overview 2.1 Secret-Key TE 2.2 Secret-Key TE Based on Circular Secure SKE 2.3 Towards the Completeness in the Public-Key Setting 3 Preliminaries 3.1 Basic Notation and Notions 3.2 Public-Key and Secret-Key Encryption 3.3 Targeted Encryption 3.4 Additional Primitives 4 Targeted Encryption from Circular Security and Leakage-Resilience 5 Implications of Our TE Scheme 6 Conformed Targeted Encryption 6.1 Definitions 6.2 Construction 7 KDM-CCA Security in the Multi-key Setting ReferencesPost-quantum CryptographyScalable Ciphertext Compression Techniques for Post-quantum KEMs and Their Applications 1 Introduction 1.1 Our Contributions and Techniques 2 Preliminaries 2.1 Hard Problems for Lattices 2.2 Hard Problems for Isogenies 3 Multi-recipient PKE and KEM 3.1 Decomposable Multi-recipient Public Key Encryption 3.2 Multi-recipient Key Encapsulation Mechanism 3.3 Recipient Anonymity for mPKE and mKEM 4 FO Transform: (IND-CPA mPKE) (IND-CCA mKEM) 4.1 Generic Construction via FO Transform 4.2 Proof for Classical Case 4.3 Proof for Quantum Case 4.4 Adding Recipient Anonymity 5 Multi-recipient KEM from Post-quantum Assumptions 5.1 Multi-recipient KEM from Lattices 5.2 Multi-recipient KEMs from Isogenies 6 Instantiating mKEM with NIST Candidates and CSIDH 6.1 Comparison Methodology 6.2 Instantiation with Lattice-Based NIST Candidates 6.3 Instantiation with Isogeny-Based Schemes 7 Application to Secure Group Messaging 7.1 Syntax and Notations for Group Messaging 7.2 Concrete Instantiations of m-ary TreeKEM ReferencesPost-Quantum Verification of Fujisaki-Okamoto 1 Introduction 2 Quantum Relational Hoare Logic 2.1 Quantum While Language 2.2 QRHL Judgements 2.3 Reasoning in qRHL 2.4 The qrhl-tool 3 Fujisaki-Okamato á la HKSU 3.1 Transformation Punc 3.2 Transformation T 3.3 Transformation Um 4 Formalizing HKSU – the Specification 5 Formalizing HKSU – The Proof 6 Conclusion ReferencesA New Decryption Failure Attack Against HQC 1 Introduction 1.1 Related Works 1.2 Contributions 1.3 Organizations 2 Description of HQC 2.1 Notation 2.2 The HQC Scheme 2.3 Parameter Settings 3 Basic Ideas for the Attack 4 Attack Model and Detailed Steps 4.1 Weak-Ciphertext Preparation 4.2 Collecting Errors 4.3 Statistical Analysis 4.4 Information Set Decoding 4.5 Simulation Results on hqc-256-1 4.6 Summarizing the Complexity of Attacking hqc-256-1 5 On Other HQC Parameters 6 Discussion and Countermeasures 7 Concluding Remarks ReferencesCryptanalysisA Bit-Vector Differential Model for the Modular Addition by a Constant 1 Introduction 2 Preliminaries 2.1 Notations 2.2 Differential Cryptanalysis 2.3 Differential Models 3 Bit-Vector Differential Model of the Constant Addition 3.1 Validity 3.2 Weight of a Valid Differential 3.3 Error Analysis - Proof of Theorem 4 4 SMT-Based Search of Characteristics 4.1 Encoding the SMT Problems 4.2 Implementation 5 Experiments 6 Conclusion ReferencesMind the Propagation of States 1 Introduction 2 Preliminaries 2.1 Notations 2.2 A Brief Introduction of Impossible Differentials and Impossible (s+1)-Polytopic Transitions 2.3 SAT Problem and STP 3 New Definitions of Impossible Differentials and Impossible (s+1)-Polytopic Transitions 3.1 New Definitions of Impossible Differentials and Impossible (s+1)-Polytopic Transitions 3.2 The Equivalence of i-impossible (s+1)-Polytopic Transitions and Traditional Impossible (s+1)-Polytopic Transitions 4 Automatic Search Method 4.1 Model the Propagation of the State by Statements in CVC Format 4.2 The Automatic Search Method for Redefined Impossible Differentials and Impossible (s + 1)-Polytopic Transitions 5 Applications to Impossible Differentials from the Aspect of Cryptanalysis 5.1 GIFT64 5.2 PRINTcipher 5.3 MISTY1 5.4 RC5 6 Applications to Impossible Differentials from the Aspect of Design 6.1 Direct Application to GIFT64, PRESENT, Midori64, PRINTcipher48, and PRINTcipher96 6.2 Three Phases Technique: Apply to AES-128 6.3 Combination of Three Phases Technique and Inside Value Technique: Application to MISTY1 7 Applications to Impossible (s+1)-Polytopic (s2) Transitions 7.1 The d-Impossible Polytopic Transitions of PRINTcipher 7.2 The 7-Round d-Impossible 3-Polytopic Transition of GIFT64 7.3 The 7-Round i-Impossible 4-Polytopic Transition of PRESENT 7.4 The 3-Round i-Impossible 3-Polytopic Transition of RC5-32 and RC5-64 8 Conclusion ReferencesAn Algebraic Formulation of the Division Property: Revisiting Degree Evaluations, Cube Attacks, and Key-Independent Sums 1 Introduction 2 Preliminaries 3 Monomial Prediction 3.1 Derived Function 4 Application I: Degree Evaluation 4.1 Compute Exact Algebraic Degree of a Boolean Function 4.2 Application to Trivium 5 Application II: Cube Attacks 5.1 Apply Monomial Prediction to Superpoly Recovery 5.2 Application to Trivium 6 Division Property from an Algebraic Viewpoint 6.1 A Perfect Detection Algorithm Based on Monomial Prediction 6.2 No-False-Alarm Detection Algorithms 6.3 The Three-Subset Bit-Based Division Property Without Unknown Subset is Perfect 6.4 An Alternative Detection Algorithm for Division Property 7 Conclusion and Discussion ReferencesAn Algebraic Attack on Ciphers with Low-Degree Round Functions: Application to Full MiMC 1 Introduction 1.1 Our Contribution 2 Preliminaries 2.1 Polynomial Representations over Binary Extension Fields 2.2 Higher-Order Differential Cryptanalysis 2.3 Specification and Previous Analysis of MiMC 3 Higher-Order Differentials of Key-Alternating Ciphers 3.1 Setting 3.2 Growth of the Degree 3.3 Comparison with Other Bounds 4 Distinguishers for Reduced-Round and Full MiMC 4.1 Secret-Key Higher-Order Distinguisher for MiMC 4.2 Practical Results 4.3 Known-Key Zero-Sum Distinguisher for MiMC 4.4 Impact of the Known-Key Distinguisher on Full MiMC 4.5 Results Using the Division Property 5 Key-Recovery Attack on MiMC 5.1 Strategy of the Attack 5.2 Details of the Attack 5.3 Complexity Estimation 5.4 Practical Verification 6 An Algebraic Attack on Ciphers with Low-Degree Round Functions 6.1 Setting 6.2 Strategy of the Attack 6.3 Comparison with Related Work 7 Concluding Remarks and Future Work ReferencesImprovements of Algebraic Attacks for Solving the Rank Decoding and MinRank Problems 1 Introduction 2 Notation 3 Algebraic Modeling of the MinRank and the Decoding Problem 3.1 Modeling of MinRank 3.2 The Approach Followed in ch17BBBGNRT19 to Solve the Decoding Problem 3.3 The New Approach : Specializing the Identity in C 4 Solving RD: Overdetermined Case 4.1 The Overdetermined Case 4.2 Improvement in the ``Super''-Overdetermined Case by Puncturing 4.3 Reducing to the Overdetermined Case: Hybrid Attack 5 Solving RD and MinRank: Underdetermined Case 5.1 Solving (3) by Direct Linearization 5.2 Solving Support Minors Modeling at a Higher Degree, q>b 5.3 The q=2 Case 5.4 Toward the br+2 Case 5.5 Improvements for Generic Minrank 5.6 Experimental Results for Generic Minrank 5.7 Using Support Minors Modeling Together with MaxMin for RD 5.8 Last Step of the Attack 6 Complexity of the Attacks for Different Cryptosystems and Comparison with Generic Gröbner Basis Approaches 6.1 Attacks Against the Rank Decoding Problem 6.2 Attacks Against the MinRank Problem 6.3 Our Approach vs. Using Generic Gröbner Basis Algorithms 7 Examples of New Parameters for ROLLO-I and RQC 8 Conclusion ReferencesLower Bounds on the Degree of Block Ciphers 1 Introduction 2 Notation and Preliminaries 2.1 Previous Works on Division Properties 2.2 Division Properties and the ANF 3 High-Level Approach 3.1 Minimum Degree 3.2 Appearance of All High-Degree Monomials 3.3 The Key Pattern 4 How to Search Input/Key/Output Patterns 5 Applications 5.1 GIFT 5.2 SKINNY64 5.3 PRESENT 5.4 AES 6 Conclusion ReferencesTowards Closing the Security Gap of Tweak-aNd-Tweak (TNT) 1 Introduction 2 Distinguishers on TNT 2.1 General Setup 2.2 Cross-Road Distinguisher 2.3 Parallel-Road Distinguisher 2.4 Efficiency 3 An Impossible-Differential Attack on TNT-AES [5, *, *] 3.1 Core Idea 3.2 Messages 3.3 Success Probability, Advantage, and Data Complexity 3.4 Procedure 3.5 Computational and Memory Complexity 3.6 Experiments 4 Provable Security Preliminaries 4.1 Provable Security Notations 4.2 Expectation Method 4.3 Mirror Theory 4.4 Transcript Graph 4.5 Extended Mirror Theory 4.6 Universal Hashing 5 TPRP Proof of TNT 5.1 Oracle Descriptions 5.2 Definition of Bad Transcripts 5.3 Analysis of Bad Transcripts 5.4 Analysis of Good Transcripts 6 Summary and Discussion ReferencesSymmetric Key CryptographyMinimizing the Two-Round Tweakable Even-Mansour Cipher 1 Introduction 2 Preliminaries 2.1 A Simple Result on Probability 2.2 Security Definition 2.3 H-Coefficient Technique 2.4 Sum Capture Lemma 3 BBB Security of Single Permutation Variant of 2-TEM 3.1 Security Statement 3.2 Definition and Probability of Bad Transcripts 3.3 Analysis of Good Transcripts 4 Proof of Good Lemma 4.1 Establishing Lower Bound on p() 4.2 Lower Bound of p1() 4.3 Lower Bound on p2() 4.4 Final Step of the Proof 5 BBB Security of Two Permutations Variant of 4-TEM 5.1 Security Statement 5.2 Definition and Probability of Bad Transcripts 5.3 Analysis of Good Transcripts 6 Conclusion ReferencesBeyond Birthday Bound Secure Fresh Rekeying: Application to Authenticated Encryption 1 Introduction 1.1 Beyond Birthday Bound Security Block Cipher Rekeying 1.2 Application: Rekeying-Based Authenticated Encryption 1.3 Outline 2 Preliminaries 2.1 (Tweakable) Block Ciphers 2.2 Universal Hashing 2.3 Rekeying Schemes and Security Model 3 State of the Art on Rekeying Schemes 4 State of the Art on Tweak-Rekeyable Tweakable Block Ciphers 5 Improved DKM+2 Instantiations 5.1 First Scheme 5.2 Second Scheme 6 Simpler Optimally Secure Block Cipher Rekeying 7 Instantiations 8 Cost Comparison 9 Authenticated Encryption from Fresh Rekeying 9.1 Authenticated Encryption 9.2 CB 9.3 Instantiation of CB with R1-R3 10 Concluding Remarks ReferencesTight Security Analysis of 3-Round Key-Alternating Cipher with a Single Permutation 1 Introduction 2 Preliminaries 2.1 Basic Notations 2.2 Indistinguishability Framework 2.3 The H-Coefficient Method 2.4 A Useful Lemma 3 The Main Result and New Representation 3.1 3-Round KAC with a Single Permutation 3.2 Statement of the Result and Discussion 3.3 New Representation 4 Proof of Theorem 1 4.1 Transcripts and p() 4.2 Two Technical Lemmas 4.3 Concluding the Proof of Theorem 1 5 A Type of Combinatorial Problem 5.1 Counting Framework 5.2 The Key Subproblem in 3KACSP 6 Conclusion and Discussion ReferencesMessage Authentication CodesImproved Security Analysis for Nonce-Based Enhanced Hash-then-Mask MACs 1 Introduction 2 Preliminaries 3 Extended Mirror Theory 4 Security of nEHtM Based on a Block Cipher 4.1 Graph Representation of Transcripts 4.2 Bad Transcripts 4.3 Concluding the Proof Using Mirror Theory 5 Security of nEHtM Based on a Pseudorandom Function 6 Security of Truncated nEHtM A Proof of Theorem 1 ReferencesOn the Adaptive Security of MACs and PRFs 1 Introduction 1.1 Our Results 1.2 Overview 2 Preliminaries and Definitions 2.1 Multi-user Secure MACs Under Adaptive Corruption 2.2 Intractability Assumptions 2.3 Black-Box Reductions 2.4 Security Loss 3 Main Theorem 3.1 Technical Overview 4 Proof of Lemma 1 4.1 Analyzing the Ideal Adversary 4.2 Analyzing the Meta-reduction 4.3 Comparing the Real and Hybrid Experiments 4.4 Comparing the Hybrid and Ideal Experiments 4.5 Bounding the Hybrid's Failure Probability 4.6 Bounding the Security Loss ReferencesHow to Build Optimally Secure PRFs Using Block Ciphers 1 Introduction 1.1 Our Contributions 2 Preliminaries 2.1 Keyed Functions and Block Ciphers 2.2 Universal Hash Functions 2.3 Coefficient-H Technique 3 Benes and mBenes Transformations 3.1 Revisiting the Security Analysis of Benes and mBenes 4 HtmB: Hash Then Modified Benes 4.1 HtmB-f: Random Function Based Construction 4.2 HtmB-p1: Random Permutation Based Construction 4.3 HtmB-p2: An Improvement over HtmB-p1 5 mLightMAC+ and mPMAC+ 5.1 mLightMAC+ 5.2 mPMAC+ 6 Proofs Related to LightHash and PHash 6.1 Proof of Lemma 5.1 6.2 Proof of Lemma 5.2 7 Reducing the Number of Keys 8 Conclusion 8.1 Further Discussion ReferencesSide-Channel AnalysisSILVER – Statistical Independence and Leakage Verification 1 Introduction 2 Background 2.1 Notation 2.2 Reduced Ordered Binary Decision Diagrams (ROBDDs) 2.3 Circuit Model 2.4 Security Notions 3 Verification Concept 3.1 Leakage Models 3.2 Verification Approach 4 Statistical Independence and Security Checks 4.1 Statistical Independence 4.2 d-Probing Security 4.3 d-Non-Interference 4.4 d-Strong Non-Interference 4.5 d-Probe-Isolating Non-Interference 4.6 Uniformity 5 Related Work 5.1 Comparison to maskVerif 6 Experiments and Evaluations 7 Conclusion ReferencesCryptanalysis of Masked Ciphers: A Not So Random Idea 1 Introduction 2 Preliminaries 2.1 Fourier Analysis 2.2 Boolean Masking and Threshold Implementations 3 A Bounded-Query Probing Model 3.1 Threshold Probing 3.2 Modeling Glitches 4 Bound on the Advantage 5 Fourier Analysis of Shared Functions 5.1 Restrictions of Shared Functions 5.2 Correlations Between Probed Values 6 Cryptanalysis of Masked Ciphers 7 Application to LED 7.1 Description of LED 7.2 Sharing Second-Order LED 7.3 Probing Security of One Round 7.4 Probing Nearby Rounds: Zero Correlation 7.5 Five Rounds or More: Low Correlation 7.6 Influence of the Key-Schedule 7.7 Simulation-Based Verification 8 Application to Other Primitives 8.1 Immediate Applications 8.2 Applications Requiring Additional Techniques 9 Conclusion and Future Work A Sharings of the Present S-Box A.1 Decomposition A.2 Seven-Sharing of G(x,y,z,w) A.3 Three-Sharing of G(x,y,z,w) A.4 Improved Linear Properties B Seven-Sharing of the Prince S-Box C Entropy Estimators and Software Details C.1 Entropy Estimation and Confidence Intervals ReferencesPacked Multiplication: How to Amortize the Cost of Side-Channel Masking? 1 Introduction 1.1 Our Contributions 1.2 Related Works 1.3 Organization 2 Preliminary 2.1 Notations 2.2 Private Circuits 2.3 Composable Security Notions 2.4 Different Types of Gadgets 3 New Security Notions for MIMO gadgets 3.1 Limitation of NI/SNI with MIMO Gadgets 3.2 Intuition Behind the New Security Notions 3.3 New Security Notion for MIMO Gadgets 3.4 New Security Notion for Gadgets with Packed sharings 4 Packed Multiplication Gadget 4.1 Construction 4.2 Correctness of Gadget 1 4.3 Security of Gadget 1 5 Linear Gadgets 5.1 Trivial Implementation 5.2 Why a d-CNI Linear Gadget Is Necessary? 5.3 New Construction of Linear Operation 5.4 Linear Gadgets for Packed sharings 6 Application to AES SubBytes 6.1 Implementation Approach Using the Tower Field Method 6.2 Implementation Results 7 Application to GHASH, AES-GCM, and More 7.1 A Brief Description of GHASH and AES-GCM 7.2 Provably Secure Masked Implementation of Polynomial-Evaluation Hash 7.3 More Applications of the Masked Polynomial-Evaluation Hash ReferencesSide Channel Information Set Decoding Using Iterative Chunking 1 Introduction 2 Background 2.1 Information Set Decoding 2.2 McEliece Cryptosystem 2.3 Niederreiter Cryptosystem 2.4 Timing Side-Channel Attack on McEliece 3 Reaction-based Side-Channel Analysis 3.1 Side-Channel Attack on Niederreiter 3.2 Reducing the Number of Queries with Information Set Decoding 3.3 Reducing the Number of Queries with Iterative Chunking 3.4 Combining Iterative Chunking with Information Set Decoding 4 Attack Evaluation 4.1 Leakage Analysis 4.2 Building an Oracle in Practice 4.3 Practical Evaluation 5 Application Perspectives of Iterative Chunking 6 Conclusion ReferencesAuthor Index*