Assessing the Feasibility of Single Trace Power Analysis of Frodo

  • Joppe W. BosEmail author
  • Simon Friedberger
  • Marco Martinoli
  • Elisabeth Oswald
  • Martijn Stam
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11349)


Lattice-based schemes are among the most promising post-quantum schemes, yet the effect of both parameter and implementation choices on their side-channel resilience is still poorly understood. Aysu et al. (HOST’18) recently investigated single-trace attacks against the core lattice operation, namely multiplication between a public matrix and a “small” secret vector, in the context of a hardware implementation. We complement this work by considering single-trace attacks against software implementations of “ring-less” LWE-based constructions.

Specifically, we target Frodo, one of the submissions to the standardisation process of NIST, when implemented on an (emulated) ARM Cortex M0 processor. We confirm Aysu et al.’s observation that a standard divide-and-conquer attack is insufficient and instead we resort to a sequential, extend-and-prune approach. In contrast to Aysu et al. we find that, in our setting where the power model is far from being as clear as theirs, both profiling and less aggressive pruning are needed to obtain reasonable key recovery rates for SNRs of practical relevance. Our work drives home the message that parameter selection for LWE schemes is a double-edged sword: the schemes that are deemed most secure against (black-box) lattice attacks can provide the least security when considering side-channels. Finally, we suggest some easy countermeasures that thwart standard extend-and-prune attacks.


Side-channel analysis LWE Frodo Template attacks Lattices 



Open image in new window The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme Marie Skłodowska-Curie ITN ECRYPT-NET (Project Reference 643161) and Horizon 2020 project PQCRYPTO (Project Reference 645622). Furthermore, Elisabeth Oswald was partially funded by H2020 grant SEAL (Project Reference 725042). We thank the authors of ELMO for their kind help, comments and feedback.

Supplementary material


  1. 1.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Aysu, A., Tobah, Y., Tiwari, M., Gerstlauer, A., Orshansky, M.: Horizontal side-channel vulnerabilities of post-quantum key exchange protocols. In: IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2018 (2018, to appear)Google Scholar
  3. 3.
    Batina, L., Chmielewski, Ł., Papachristodoulou, L., Schwabe, P., Tunstall, M.: Online template attacks. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 21–36. Springer, Cham (2014). Scholar
  4. 4.
    Biryukov, A., Dinu, D., Großschädl, J.: Correlation power analysis of lightweight block ciphers: from theory to practice. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 537–557. Springer, Cham (2016). Scholar
  5. 5.
    Bos, J.W., et al.: Frodo: take off the ring! Practical, quantum-secure key exchange from LWE. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 1006–1018. ACM Press, Oct. (2016)Google Scholar
  6. 6.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). Scholar
  7. 7.
    Devoret, M.H., Schoelkopf, R.J.: Superconducting circuits for quantum information: an outlook. Science 339(6124), 1169–1174 (2013)CrossRefGoogle Scholar
  8. 8.
    Kelly, J., et al.: State preservation by repetitive error detection in a superconducting quantum circuit. Nature 519, 66–69 (2015)CrossRefGoogle Scholar
  9. 9.
    Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2015)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Lemke, K., Schramm, K., Paar, C.: DPA on n-bit sized Boolean and arithmetic operations and its application to IDEA, RC6, and the HMAC-construction. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 205–219. Springer, Heidelberg (2004). Scholar
  11. 11.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). Scholar
  12. 12.
    McCann, D., Oswald, E., Whitnall, C.: Implementation of ELMO. Accessed 27 Nov 2017
  13. 13.
    McCann, D., Oswald, E., Whitnall, C.: Towards practical tools for side channel aware software engineering: ‘grey box’ modelling for instruction leakages. In: 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, 16–18 August 2017, pp. 199–216 (2017)Google Scholar
  14. 14.
    McDonnell, M.D., Stocks, N.G., Pearce, C.E.M., Abbott, D.: Stochastic Resonance - From Suprathreshold Stochastic Resonance to Stochastic Signal Quantization. Cambridge University Press, Cambridge (2008)CrossRefGoogle Scholar
  15. 15.
    Naehrig, M., et al.: FrodoKEM. Technical report, National Institute of Standards and Technology (2017).
  16. 16.
    National Institute of Standards and Technology. Post-quantum cryptography standardization.
  17. 17.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005Google Scholar
  18. 18.
    Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). Scholar
  19. 19.
  20. 20.
    Whitnall, C., Oswald, E.: A comprehensive evaluation of mutual information analysis using a fair evaluation framework. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 316–334. Springer, Heidelberg (2011). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Joppe W. Bos
    • 1
    Email author
  • Simon Friedberger
    • 1
    • 2
  • Marco Martinoli
    • 3
  • Elisabeth Oswald
    • 3
  • Martijn Stam
    • 3
  1. 1.NXP SemiconductorsEindhovenNetherlands
  2. 2.KU Leuven - iMinds - COSICLeuvenBelgium
  3. 3.University of BristolBristolUK

Personalised recommendations