Exploiting ROLLO’s constant-time implementations with a single-trace analysis

Abstract

ROLLO, for Rank-Ouroboros, LAKE and LOCKER, was a candidate to the second round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization process. In the lastest update in April 2020, there was a key-encapsulation mechanism (ROLLO-I) and a public-key encryption scheme (ROLLO-II). In this paper, we propose a side-channel attack to recover the syndrome during the decapsulation process of ROLLO-I. From this syndrome, we explain how to recover the private key. We target two constant-time implementations: the C reference implementation and a C implementation available on GitHub. By capturing power measurements during the execution of the Gaussian elimination function, we are able to extract from a single trace each element of the syndrome. This attack can also be applied to the decryption process of ROLLO-II. Finally, we give countermeasures based on masking and randomization to protect future implementations. We also provide their impact regarding the execution time.

Appendices

Appendix A Algorithms for countermeasures with randomization

Appendix B: Fisher–Yates Algorithm

Appendix C Toy example for the attack for the reference implementation

Let us take a small example, with \(q=2\), \(m=5\) and \(n=7\), to illustrate the information leakage that we found.

After the execution of the Gaussian elimination process, we guess from the power consumption analysis the masks in the first and second loops:

1. 1.

   masks in the first loop for each column:

   $$\begin{aligned}{} & {} {(*, 1, 1, 1, 0, 0, 0)},{ (1, *, 1, 0, 1, 1, 0)}, (1, 0, *, 0, 1, 0, 1), (1, 1, 1, *, 0, 1, 1),\\ {}{} & {} \quad (1, 1, 1, 0, *, 1, 0) \end{aligned}$$
2. 2.

   masks of the second loop for each column:

   $$\begin{aligned}{} & {} { (*, 0, 0, 0, 1, 1, 1)},{ (1, *, 1, 1, 0, 0, 1)}, (0, 1, *, 1, 0, 1, 0), (1, 1, 1, *, 0, 1, 0),\\{} & {} \quad (1, 1, 1, 0, *, 1, 1), \end{aligned}$$

   with \(*\) the pivot. As explained in Sect. 3.2, the \(*\) are replaced by one.

Let us focus on recovering the two first columns of the syndrome matrix. The recovered masks vector of the first loop (1, 1, 1, 1, 0, 0, 0) provides the additions on the pivot row 0:

The masks vector of the second loop \( \sigma '_0={(1, 0, 0, 0, 1, 1, 1)}\) is the solution vector of the system of linear equations where \(s_{i,j}\) are unknowns. Thus, by applying a SageMath linear solver on the system

$$\begin{aligned} J_0 \times {\textbf{S}}[0] = { (1 0 0 0 1 1 1)}^t, \end{aligned}$$

we find the solution (1, 0, 0, 0, 1, 1, 1), which corresponds to the first column of the syndrome matrix. SageMath is available at https://www.sagemath.org/. At the end of the process of the first column, we have the matrix

For the second column, the recovered masks vector of the first loop is (1, 0, 1, 0,  1, 1, 0). However, as explained in Sect. 3.2, only the rows for which the index row is greater than the index pivot row are added to the pivot row. Thus, in the recovered masks vector, we replace one by zero for \(i<1\). This gives us the vector \(\sigma _1 = { (0,0, 1,0,1,1,0)}\). In addition, the masks vector of the second loop is \(\sigma '_1 = { (1,1,1,1,0,0,1)}\). We can then apply a SageMath linear solver on the system

with \({\textbf{S}}_{0}[1]\) the column 1 of the matrix \({\textbf{S}}_{0}\).

The result of this system corresponds to the vector (1, 0, 1, 1, 1, 1, 0).

At the end, we have the matrix

We perform the same for the three remaining columns.