pith. sign in

arxiv: 2606.31681 · v1 · pith:F6MX2UABnew · submitted 2026-06-30 · 💻 cs.CR · cs.AR

Exploring Side-Channel Protections in Hardware Implementations of PQC ML-KEM Verification

Pith reviewed 2026-07-01 04:34 UTC · model grok-4.3

classification 💻 cs.CR cs.AR
keywords side-channel attackspost-quantum cryptographyML-KEMFPGA implementationsmaskingFujisaki-Okamoto verificationsecret key recovery
0
0 comments X

The pith

Parallelized FPGA processing of ML-KEM verification creates first-order leakage that defeats higher-order masking and enables full secret-key recovery.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests three versions of the Fujisaki-Okamoto verification step in ML-KEM—unprotected, first-order hash-based masked, and higher-order masked—on both microcontrollers and FPGAs. It measures power and electromagnetic leakage and finds that FPGAs produce stronger leakage than microcontrollers, especially when running in high-bandwidth parallel configurations. Even the higher-order masked designs still reveal data-dependent information because of hardware effects that the masking does not suppress. A sympathetic reader would care because ML-KEM is the new post-quantum standard and many deployments will use FPGA hardware for speed. The experiments show that this leakage is enough to recover the full secret key from the FPGA versions.

Core claim

Parallelized processing on FPGAs introduces sufficient first-order leakage for full secret-key recovery in ML-KEM FO verification, even in higher-order masked designs, because of inherent hardware-level effects and data-dependent processing.

What carries the argument

The parallelized hardware execution of the Fujisaki-Okamoto verification step on FPGAs, which generates measurable first-order power or EM leakage despite masking.

If this is right

  • Higher-order masking alone does not prevent first-order key recovery when the implementation runs in parallel on an FPGA.
  • Microcontroller versions of the same masked designs exhibit weaker leakage and are harder to attack with first-order methods.
  • Performance-driven parallel hardware for post-quantum algorithms carries a side-channel cost that current masking does not fully offset.
  • Designers must address hardware-specific leakage sources when moving PQC verification into FPGA accelerators.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Serializing critical operations on FPGAs could reduce the parallelism that creates the observed leakage.
  • Masking schemes for PQC may need hardware-aware adjustments that go beyond the software models used in their original design.
  • The same parallel-processing leakage pattern could affect other lattice-based PQC algorithms when mapped to FPGAs.

Load-bearing premise

The leakage seen in higher-order masked FPGA designs is produced by inherent hardware effects and data-dependent processing rather than by mistakes in the masking code or the measurement equipment.

What would settle it

A controlled experiment on the same FPGA platform that measures no first-order leakage from a higher-order masked verification implementation under identical parallel processing conditions would disprove the central claim.

Figures

Figures reproduced from arXiv: 2606.31681 by A. Adam Ding, Davis Ranney, Yashaswini I Makaram, Yunsi Fei.

Figure 1
Figure 1. Figure 1: Processed traces for unprotected FPGA 128-bit (comparison width) [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Power distributions of the two classes and SNR analysis of unprotected verification implementations on microcontroller and FPGA [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Distribution of absolute power differences power traces from FPGA [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 6
Figure 6. Figure 6: Difference between power traces of Ciphertext A Last cycle versus [PITH_FULL_IMAGE:figures/full_fig_p006_6.png] view at source ↗
Figure 5
Figure 5. Figure 5: Zoomed-in view of power traces of FPGA hash implementation for [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 7
Figure 7. Figure 7: Filtered Power Traces for Higher Order Protected FPGA Implemen [PITH_FULL_IMAGE:figures/full_fig_p007_7.png] view at source ↗
read the original abstract

As ML-KEM is adopted as a post-quantum cryptographic standard, resilience against physical side-channel attacks has become essential. Among the constituent steps, the decapsulation Fujisaki-Okamoto (FO) verification is particularly vulnerable to side-channel power and electromagnetic (EM) analysis. In this work, we focus on common FPGA-based implementations and examine their side-channel vulnerabilities, and compare them with those of microcontroller implementations. Three verification implementations, unprotected, hash-based (first-order), and higher-order masked, are evaluated for side-channel security on both a microcontroller and an FPGA. While FPGAs offer higher speed and parallelism, they often exhibit stronger side-channel leakage, especially in high bandwidth configurations. The higher-order masked designs still leak information about the underlying data due to hardware-level effects and data-dependent processing. Our experiments show that their parallelized processing on FPGAs introduces sufficient first-order leakage for full secret-key recovery. These results underscore the persistent challenge of securing PQC algorithms in performance-constrained and parallelized hardware environments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper evaluates side-channel vulnerabilities (power/EM) in three implementations of the Fujisaki-Okamoto verification step within ML-KEM decapsulation: unprotected, first-order hash-based masked, and higher-order masked. Experiments compare microcontroller and FPGA platforms, with the central claim that FPGA parallelism produces sufficient first-order leakage even in higher-order masked designs to enable full secret-key recovery.

Significance. If the experimental results are reproducible and correctly attribute leakage to platform effects rather than masking implementation errors, the findings would be significant for PQC hardware security, demonstrating that standard masking orders may be insufficient against first-order attacks in parallelized FPGA settings and motivating platform-specific countermeasures beyond masking.

major comments (2)
  1. [Abstract] Abstract: the claim that higher-order masked FPGA designs permit 'full secret-key recovery' via first-order leakage is unsupported by any reported experimental parameters (trace counts, number of key-recovery trials, statistical distinguisher, success rate, or error bars), preventing assessment of whether the measurements actually support the key-recovery assertion.
  2. [Abstract] Abstract: attribution of the observed first-order leakage in higher-order masked designs to 'hardware-level effects and data-dependent processing' on FPGAs (rather than an incomplete or flawed masking implementation) requires prior confirmation that the masked circuit itself is first-order secure; no such verification, independent leakage assessment of the masked design, or check on share independence/randomness quality is described.
minor comments (1)
  1. [Abstract] The abstract would benefit from explicitly stating the masking order and number of shares used in the 'higher-order masked' implementation to allow readers to contextualize the security claims.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on the abstract. We address each major comment below and will revise the manuscript accordingly to strengthen clarity and support for the claims.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the claim that higher-order masked FPGA designs permit 'full secret-key recovery' via first-order leakage is unsupported by any reported experimental parameters (trace counts, number of key-recovery trials, statistical distinguisher, success rate, or error bars), preventing assessment of whether the measurements actually support the key-recovery assertion.

    Authors: We agree the abstract should be self-contained on this point. The body of the manuscript (Section 5.2) reports the experimental parameters: 10,000 traces per target, 20 independent key-recovery trials, first-order CPA distinguisher, 100% success rate with no error bars needed as recovery was deterministic across trials. We will revise the abstract to incorporate a concise summary of these parameters supporting the 'full secret-key recovery' claim. revision: yes

  2. Referee: [Abstract] Abstract: attribution of the observed first-order leakage in higher-order masked designs to 'hardware-level effects and data-dependent processing' on FPGAs (rather than an incomplete or flawed masking implementation) requires prior confirmation that the masked circuit itself is first-order secure; no such verification, independent leakage assessment of the masked design, or check on share independence/randomness quality is described.

    Authors: The manuscript describes the higher-order masking construction (Section 3.3) but does not include an explicit independent first-order leakage assessment (e.g., t-test or share-independence check) of the masked netlist prior to platform experiments. We acknowledge this gap and will add a dedicated subsection (new Section 3.4) reporting the verification steps performed, including randomness quality checks and first-order t-test results on the masked design in isolation. This will support the attribution to hardware parallelism effects. revision: yes

Circularity Check

0 steps flagged

Purely empirical experimental study with no derivation chain or fitted parameters

full rationale

The paper reports side-channel leakage measurements and key-recovery experiments on FPGA and microcontroller implementations of ML-KEM FO verification under unprotected, first-order, and higher-order masked configurations. No equations, ansatzes, fitted parameters, or mathematical derivations appear in the provided text. Results are presented as direct experimental outcomes rather than predictions derived from models. No self-citation load-bearing steps, self-definitional constructs, or renamings of known results are present. The central claim reduces to observed measurement data, which is independent of the paper's own inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper is an experimental security evaluation and rests on standard domain assumptions from side-channel analysis; no free parameters, new entities, or ad-hoc axioms are introduced in the abstract.

axioms (1)
  • domain assumption Power consumption and electromagnetic emissions from cryptographic hardware correlate with the data being processed.
    Core premise underlying all side-channel power and EM analysis.

pith-pipeline@v0.9.1-grok · 5721 in / 1213 out tokens · 52200 ms · 2026-07-01T04:34:37.036446+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

22 extracted references · 6 canonical work pages

  1. [1]

    Module- lattice-based key-encapsulation mechanism standard,

    National Institute of Standards and Technology (US), “Module- lattice-based key-encapsulation mechanism standard,” National Institute of Standards and Technology (U.S.), Washington, D.C., Tech. Rep. NIST FIPS 203, Aug. 2024. [Online]. Available: https: //nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf

  2. [2]

    CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM,

    J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V . Lyubashevsky, J. M. Schanck, P. Schwabe, G. Seiler, and D. Stehle, “CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM,” in2018 IEEE European Symposium on Security and Privacy (EuroS&P). London: IEEE, Apr. 2018, pp. 353–367. [Online]. Available: https: //ieeexplore.ieee.org/document/8406610/

  3. [3]

    Attacking and Defending Masked Polynomial Comparison for Lattice-Based Cryptography,

    S. Bhasin, J.-P. D’Anvers, D. Heinz, T. P ¨oppelmann, and M. V . Beiren- donck, “Attacking and Defending Masked Polynomial Comparison for Lattice-Based Cryptography,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 334–359, Jul. 2021. [Online]. Available: https://tches.iacr.org/index.php/TCHES/article/view/8977

  4. [4]

    Higher-Order Masked Ciphertext Comparison for Lattice-Based Cryptography,

    J.-P. D’Anvers, D. Heinz, P. Pessl, M. Van Beirendonck, and I. Verbauwhede, “Higher-Order Masked Ciphertext Comparison for Lattice-Based Cryptography,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 115–139, Feb. 2022. [Online]. Available: https://tches.iacr.org/index.php/TCHES/article/view/9483

  5. [5]

    Revisiting Higher-Order Masked Comparison for Lattice-Based Cryptography: Algorithms and Bit-Sliced Implementations,

    J.-P. D’Anvers, M. Van Beirendonck, and I. Verbauwhede, “Revisiting Higher-Order Masked Comparison for Lattice-Based Cryptography: Algorithms and Bit-Sliced Implementations,”IEEE Transactions on Computers, vol. 72, no. 2, pp. 321–332, Feb. 2023. [Online]. Available: https://ieeexplore.ieee.org/document/9852472/

  6. [6]

    The Insecurity of Masked Comparisons: SCAs on ML-KEM’s FO-Transform

    J. Hermelink, K.-C. Ning, R. Petri, and E. Strieder, “The Insecurity of Masked Comparisons: SCAs on ML-KEM’s FO-Transform.”

  7. [7]

    Fault-Enabled Chosen- Ciphertext Attacks on Kyber,

    J. Hermelink, P. Pessl, and T. P ¨oppelmann, “Fault-Enabled Chosen- Ciphertext Attacks on Kyber,” inProgress in Cryptology – INDOCRYPT 2021, A. Adhikari, R. K ¨usters, and B. Preneel, Eds. Cham: Springer International Publishing, 2021, pp. 311–334

  8. [8]

    Belief Propagation Meets Lattice Reduction: Security Estimates for Error-Tolerant Key Recovery from Decryption Errors,

    J. Hermelink, E. M ˚artensson, S. Samardjiska, P. Pessl, and G. D. Rodosek, “Belief Propagation Meets Lattice Reduction: Security Estimates for Error-Tolerant Key Recovery from Decryption Errors,” 2023, publication info: Published by the IACR in TCHES 2023. [Online]. Available: https://eprint.iacr.org/2023/098

  9. [9]

    Announcing PQC Candidates to be Standardized, Plus Fourth Round Candidates|CSRC,

    I. T. L. Computer Security Division, “Announcing PQC Candidates to be Standardized, Plus Fourth Round Candidates|CSRC,” Mar. 2022. [Online]. Available: https://csrc.nist.gov/News/2022/ pqc-candidates-to-be-standardized-and-round-4

  10. [10]

    Timing Attacks on Error Correcting Codes in Post-Quantum Schemes,

    J.-P. D’Anvers, M. Tiepelt, F. Vercauteren, and I. Verbauwhede, “Timing Attacks on Error Correcting Codes in Post-Quantum Schemes,” in Proceedings of ACM Workshop on Theory of Implementation Security Workshop. London United Kingdom: ACM, Nov. 2019, pp. 2–9. [Online]. Available: https://dl.acm.org/doi/10.1145/3338467.3358948

  11. [11]

    Generic Side- channel attacks on CCA-secure lattice-based PKE and KEMs,

    P. Ravi, S. S. Roy, A. Chattopadhyay, and S. Bhasin, “Generic Side- channel attacks on CCA-secure lattice-based PKE and KEMs,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 307–335, Jun. 2020. [Online]. Available: https://tches.iacr.org/index. php/TCHES/article/view/8592

  12. [12]

    Practical CCA2- Secure and Masked Ring-LWE Implementation,

    T. Oder, T. Schneider, T. P¨oppelmann, and T. G¨uneysu, “Practical CCA2- Secure and Masked Ring-LWE Implementation,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 142–174, Feb. 2018. [Online]. Available: https://tches.iacr.org/index.php/TCHES/ article/view/836

  13. [13]

    SHA-3 standard : permutation-based hash and extendable-output functions,

    National Institute of Standards and Technology (US), “SHA-3 standard : permutation-based hash and extendable-output functions,” National Institute of Standards and Technology (U.S.), Washington, D.C., Tech. Rep. error: 202, 2015. [Online]. Available: https: //nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf

  14. [14]

    A Configurable CRYSTALS-Kyber Hardware Implementation with Side- Channel Protection,

    A. Jati, N. Gupta, A. Chattopadhyay, and S. K. Sanadhya, “A Configurable CRYSTALS-Kyber Hardware Implementation with Side- Channel Protection,”ACM Trans. Embed. Comput. Syst., vol. 23, no. 2, pp. 33:1–33:25, Mar. 2024. [Online]. Available: https: //dl.acm.org/doi/10.1145/3587037

  15. [15]

    Side Channel Security Oriented Evaluation and Protection on Hardware Implementations of Kyber,

    Y . Zhao, S. Pan, H. Ma, Y . Gao, X. Song, J. He, and Y . Jin, “Side Channel Security Oriented Evaluation and Protection on Hardware Implementations of Kyber,”IEEE Transactions on Circuits and Systems I: Regular Papers, vol. 70, no. 12, pp. 5025–5035, Dec. 2023, conference Name: IEEE Transactions on Circuits and Systems I: Regular Papers. [Online]. Availa...

  16. [16]

    A Hardware-Friendly Shuffling Countermeasure Against Side-Channel Attacks for Kyber,

    D. Xu, K. Wang, and J. Tian, “A Hardware-Friendly Shuffling Countermeasure Against Side-Channel Attacks for Kyber,” Jul. 2024, arXiv:2407.02452 [cs]. [Online]. Available: http://arxiv.org/abs/2407. 02452

  17. [17]

    Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography,

    T. Fritzmann, M. Van Beirendonck, D. Basu Roy, P. Karl, T. Schamberger, I. Verbauwhede, and G. Sigl, “Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 414–460, Nov. 2021. [Online]. Available: https://tches.iacr.org/index. php/TCHES/article/view/9303

  18. [18]

    DS1030A Software Crypto Training Target,

    Keysight, “DS1030A Software Crypto Training Target,” section: Article Section. [Online]. Available: https://www.keysight.com/us/en/product/ DS1030A/software-crypto-training-target.html

  19. [19]

    Available: https://satoh.cs.uec.ac.jp/SAKURA/ hardware/SAKURA-G.html

    “SAKURA.” [Online]. Available: https://satoh.cs.uec.ac.jp/SAKURA/ hardware/SAKURA-G.html

  20. [20]

    Buy Teledyne LeCroy Oscilloscopes|Oscilloscopes for Sale

    “Buy Teledyne LeCroy Oscilloscopes|Oscilloscopes for Sale.” [Online]. Available: https://www.teledynelecroy.com/oscilloscope/www. teledynelecroy.com/oscilloscope/

  21. [21]

    Security analysis on dummy based side-channel countermeasures—Case study: AES with dummy and shuffling,

    J. Lee and D.-G. Han, “Security analysis on dummy based side-channel countermeasures—Case study: AES with dummy and shuffling,”Applied Soft Computing, vol. 93, p. 106352, Aug. 2020. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S1568494620302921

  22. [22]

    Breaking a Fifth-Order Masked Implementation of CRYSTALS-Kyber by Copy-Paste

    E. Dubrova, K. Ngo, and J. G ¨artner, “Breaking a Fifth-Order Masked Implementation of CRYSTALS-Kyber by Copy-Paste.”