ROLLO, for Rank-Ouroboros, LAKE and LOCKER, was a candidate to the second round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization process. In the lastest update in April 2020, there was a key-encapsulation mechanism (ROLLO-I) and a public-key encryption scheme (ROLLO-II). In this paper, we propose a side-channel attack to recover the syndrome during the decapsulation process of ROLLO-I. From this syndrome, we explain how to recover the private key. We target two constant-time implementations: the C reference implementation and a C implementation available on GitHub. By capturing power measurements during the execution of the Gaussian elimination function, we are able to extract from a single trace each element of the syndrome. This attack can also be applied to the decryption process of ROLLO-II. Finally, we give countermeasures based on masking and randomization to protect future implementations. We also provide their impact regarding the execution time.

ROLLO 代表 Rank-Ouroboros、LAKE 和 LOCKER，是美国国家标准与技术研究院 (NIST) 后量子密码学 (PQC) 标准化进程第二轮​​的候选者。在 2020 年 4 月的最新更新中，有一个密钥封装机制（ROLLO-I）和一个公钥加密方案（ROLLO-II）。在本文中，我们提出了一种侧信道攻击来恢复 ROLLO-I 解封装过程中的综合症。从这个综合症中，我们解释了如何恢复私钥。我们针对两个恒定时间实现：C 参考实现和GitHub上可用的 C 实现. 通过在执行高斯消去函数期间捕获功率测量值，我们能够从单个迹线中提取综合症的每个元素。这种攻击也可以应用于ROLLO-II的解密过程。最后，我们给出了基于屏蔽和随机化的对策来保护未来的实施。我们还提供了它们对执行时间的影响。