Cryptology ePrint Archive: Report 2021/477

Exploiting ROLLO's Constant-Time Implementations with a Single-Trace Analysis

Agathe Cheriere and Lina Mortajine and Tania Richmond and Nadia El Mrabet

Abstract: ROLLO was a candidate to the second round of NIST Post-Quantum Cryptography standardization process. In the last update in April 2020, there was a key encapsulation mechanism (ROLLO-I) and a public-key encryption scheme (ROLLO-II). In this paper, we propose an attack to recover the syndrome during the decapsulation process of ROLLO-I. From this syndrome, we explain how to perform a private key-recovery. We target two constant-time implementations: the C reference implementation and a C implementation available on GitHub. By getting power measurements during the execution of the Gaussian elimination function, we are able to extract on a single trace each element of the syndrome. This attack can also be applied to the decryption process of ROLLO-II.

Category / Keywords: public-key cryptography / ROLLO, side-channel attack, power consumption analysis, key-recovery attack, single-trace analysis, rank metric, LRPC codes

Date: received 14 Apr 2021, last revised 18 Jun 2021

Contact author: agathe cheriere at irisa fr, lina mortajine at emse fr, tania richmond nc at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20210618:072132 (All versions of this report)

Short URL: ia.cr/2021/477


[ Cryptology ePrint archive ]