Abstract
ROLLO, for Rank-Ouroboros, LAKE and LOCKER, was a candidate to the second round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization process. In the lastest update in April 2020, there was a key-encapsulation mechanism (ROLLO-I) and a public-key encryption scheme (ROLLO-II). In this paper, we propose a side-channel attack to recover the syndrome during the decapsulation process of ROLLO-I. From this syndrome, we explain how to recover the private key. We target two constant-time implementations: the C reference implementation and a C implementation available on GitHub. By capturing power measurements during the execution of the Gaussian elimination function, we are able to extract from a single trace each element of the syndrome. This attack can also be applied to the decryption process of ROLLO-II. Finally, we give countermeasures based on masking and randomization to protect future implementations. We also provide their impact regarding the execution time.
Similar content being viewed by others
References
Aguilar-Melchor C., Aragon N., Bardet M., et al.: ROLLO-Rank-Ouroboros, LAKE & LOCKER. https://pqc-rollo.org/ (2019).
Aguilar-Melchor C., Aragon N., Bellini E., et al.: Constant time algorithms for ROLLO-I-128. https://eprint.iacr.org/2020/1066.pdf, source code available at https://github.com/peacker/constant_time_rollo.git (2020).
Aragon N., Bidoux L.: rbc_library. https://rbc-lib.org/ (2020).
Aragon N., Gaborit P.: A key recovery attack against LRPC using decryption failures. In: International Workshop on Coding and Cryptography (WCC), Saint-Jacut-de-la-Mer, France (2019).
Bardet M., Briaud P., Bros M., et al.: An algebraic attack on rank metric code-based cryptosystems. In: Canteaut A., Ishai Y. (eds.) Advances in Cryptology - EUROCRYPT 2020, pp. 64–93. Springer, Cham (2020).
Bardet M., Bros M., Cabarcas D., et al.: Improvements of algebraic attacks for solving the rank decoding and minrank problems. In: Moriai S., Wang H. (eds.) Advances in Cryptology - ASIACRYPT 2020, pp. 507–536. Springer, Cham (2020).
Bernstein D.J., Chou T., Schwabe P.: McBits: Fast constant-time code-based cryptography. In: Bertoni G., Coron J.S. (eds.) Cryptographic Hardware and Embedded Systems (CHES), pp. 250–272. Springer, Berlin (2013).
Cayrel PL., Colombier B., Drgoi VF., et al.: Message-recovery laser fault injection attack on the classic mceliece cryptosystem. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, pp 438–467 (2021).
Gaborit P., Murat G., Ruatta O., et al.: Low Rank Parity Check codes and their application to cryptography. In: Budaghyan L, Helleseth T, Parker MG (eds.) International Workshop on Coding and Cryptography (WCC), Bergen, Norway, https://hal.archives-ouvertes.fr/hal-00913719, iSBN 978-82-308-2269-2 (2013).
Hoffstein J., Pipher J., Silverman J.H.: NTRU: A ring-based public key cryptosystem. In: Proceedings of the Third International Symposium on Algorithmic Number Theory, pp. 267–288 (1998).
Johnson D., Menezes A., Vanstone S.: The Elliptic Curve Digital Signature Algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001). https://doi.org/10.1007/s102070100002.
Kocher P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz N. (ed.) Advances in Cryptology - CRYPTO, pp. 104–113. Springer, Berlin (1996).
Lahr N., Niederhagen R., Petri R., et al.: Side channel information set decoding using iterative chunking. In: Moriai S., Wang H. (eds.) Advances in Cryptology - ASIACRYPT 2020, pp. 881–910. Springer, Cham (2020).
McEliece R.J.: A public-key cryptosystem based on algebraic coding theory. Tech. Rep. 44, California Inst. Technol., Pasadena, CA (1978).
Melchor C.A., Aragon N., Bettaieb S., et al.: Rank Quasi-Cyclic (RQC). https://pqc-rqc.org/ (2020).
Moody D., Alagic G., Apon D.C., et al.: Status report on the second round of the NIST post-quantum cryptography standardization process. Tech. rep. (2020). https://doi.org/10.6028/nist.ir.8309.
Rivest R.L., Shamir A., Adleman L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978).
Samardjiska S., Santini P., Persichetti E., et al.: A reaction attack against cryptosystems based on LRPC codes. In: Progress in Cryptology – LATINCRYPT. Springer, pp. 197–216, https://doi.org/10.1007/978-3-030-30530-7_10 (2019).
Shor P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997).
Strenzke F., Tews E., Molter HG., et al.: Side channels in the McEliece PKC. In: International Workshop on Post-Quantum Cryptography, Springer, pp. 216–229 (2008).
Acknowledgements
The authors would like to thank Benoît Gérard for his helpful advice.
Author information
Authors and Affiliations
Corresponding authors
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This is one of several papers published in Designs, Codes and Cryptography comprising the “Special Issue: Coding and Cryptography 2022”.
Appendices
Appendix A Algorithms for countermeasures with randomization
Appendix B: Fisher–Yates Algorithm
Appendix C Toy example for the attack for the reference implementation
Let us take a small example, with \(q=2\), \(m=5\) and \(n=7\), to illustrate the information leakage that we found.
After the execution of the Gaussian elimination process, we guess from the power consumption analysis the masks in the first and second loops:
-
1.
masks in the first loop for each column:
$$\begin{aligned}{} & {} {(*, 1, 1, 1, 0, 0, 0)},{ (1, *, 1, 0, 1, 1, 0)}, (1, 0, *, 0, 1, 0, 1), (1, 1, 1, *, 0, 1, 1),\\ {}{} & {} \quad (1, 1, 1, 0, *, 1, 0) \end{aligned}$$ -
2.
masks of the second loop for each column:
$$\begin{aligned}{} & {} { (*, 0, 0, 0, 1, 1, 1)},{ (1, *, 1, 1, 0, 0, 1)}, (0, 1, *, 1, 0, 1, 0), (1, 1, 1, *, 0, 1, 0),\\{} & {} \quad (1, 1, 1, 0, *, 1, 1), \end{aligned}$$with \(*\) the pivot. As explained in Sect. 3.2, the \(*\) are replaced by one.
Let us focus on recovering the two first columns of the syndrome matrix. The recovered masks vector of the first loop (1, 1, 1, 1, 0, 0, 0) provides the additions on the pivot row 0:
The masks vector of the second loop \( \sigma '_0={(1, 0, 0, 0, 1, 1, 1)}\) is the solution vector of the system of linear equations where \(s_{i,j}\) are unknowns. Thus, by applying a SageMath linear solver on the system
we find the solution (1, 0, 0, 0, 1, 1, 1), which corresponds to the first column of the syndrome matrix. SageMath is available at https://www.sagemath.org/. At the end of the process of the first column, we have the matrix
For the second column, the recovered masks vector of the first loop is (1, 0, 1, 0, 1, 1, 0). However, as explained in Sect. 3.2, only the rows for which the index row is greater than the index pivot row are added to the pivot row. Thus, in the recovered masks vector, we replace one by zero for \(i<1\). This gives us the vector \(\sigma _1 = { (0,0, 1,0,1,1,0)}\). In addition, the masks vector of the second loop is \(\sigma '_1 = { (1,1,1,1,0,0,1)}\). We can then apply a SageMath linear solver on the system
with \({\textbf{S}}_{0}[1]\) the column 1 of the matrix \({\textbf{S}}_{0}\).
The result of this system corresponds to the vector (1, 0, 1, 1, 1, 1, 0).
At the end, we have the matrix
We perform the same for the three remaining columns.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Cheriere, A., Mortajine, L., Richmond, T. et al. Exploiting ROLLO’s constant-time implementations with a single-trace analysis. Des. Codes Cryptogr. 92, 587–608 (2024). https://doi.org/10.1007/s10623-023-01227-3
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-023-01227-3