Exploiting ROLLO's Constant-Time Implementations with a Single-Trace Analysis

Agathe Cheriere; Lina Mortajine; Tania Richmond; Nadia El Mrabet

Paper 2021/477

Exploiting ROLLO's Constant-Time Implementations with a Single-Trace Analysis

Agathe Cheriere

Lina Mortajine

Tania Richmond

Nadia El Mrabet

Abstract

ROLLO was a candidate to the second round of NIST Post-Quantum Cryptography standardization process. In the last update in April 2020, there was a key encapsulation mechanism (ROLLO-I) and a public-key encryption scheme (ROLLO-II). In this paper, we propose an attack to recover the syndrome during the decapsulation process of ROLLO-I. From this syndrome, we explain how to perform a private key-recovery. We target two constant-time implementations: the C reference implementation and a C implementation available on GitHub. By getting power measurements during the execution of the Gaussian elimination function, we are able to extract on a single trace each element of the syndrome. This attack can also be applied to the decryption process of ROLLO-II.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint.
Keywords: ROLLO side-channel attack power consumption analysis key-recovery attack single-trace analysis rank metric LRPC codes
Contact author(s): agathe cheriere @ irisa fr
lina mortajine @ gmail com
tania richmond nc @ gmail com
History: 2022-10-24: last of 2 revisions; 2021-04-15: received; See all versions
Short URL: https://ia.cr/2021/477
License: CC BY

BibTeX

@misc{cryptoeprint:2021/477,
      author = {Agathe Cheriere and Lina Mortajine and Tania Richmond and Nadia El Mrabet},
      title = {Exploiting ROLLO's Constant-Time Implementations with a Single-Trace Analysis},
      howpublished = {Cryptology ePrint Archive, Paper 2021/477},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/477}},
      url = {https://eprint.iacr.org/2021/477}
}