Exploring Side-Channel Protections in Hardware Implementations of PQC ML-KEM Verification
Pith reviewed 2026-07-01 04:34 UTC · model grok-4.3
The pith
Parallelized FPGA processing of ML-KEM verification creates first-order leakage that defeats higher-order masking and enables full secret-key recovery.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Parallelized processing on FPGAs introduces sufficient first-order leakage for full secret-key recovery in ML-KEM FO verification, even in higher-order masked designs, because of inherent hardware-level effects and data-dependent processing.
What carries the argument
The parallelized hardware execution of the Fujisaki-Okamoto verification step on FPGAs, which generates measurable first-order power or EM leakage despite masking.
If this is right
- Higher-order masking alone does not prevent first-order key recovery when the implementation runs in parallel on an FPGA.
- Microcontroller versions of the same masked designs exhibit weaker leakage and are harder to attack with first-order methods.
- Performance-driven parallel hardware for post-quantum algorithms carries a side-channel cost that current masking does not fully offset.
- Designers must address hardware-specific leakage sources when moving PQC verification into FPGA accelerators.
Where Pith is reading between the lines
- Serializing critical operations on FPGAs could reduce the parallelism that creates the observed leakage.
- Masking schemes for PQC may need hardware-aware adjustments that go beyond the software models used in their original design.
- The same parallel-processing leakage pattern could affect other lattice-based PQC algorithms when mapped to FPGAs.
Load-bearing premise
The leakage seen in higher-order masked FPGA designs is produced by inherent hardware effects and data-dependent processing rather than by mistakes in the masking code or the measurement equipment.
What would settle it
A controlled experiment on the same FPGA platform that measures no first-order leakage from a higher-order masked verification implementation under identical parallel processing conditions would disprove the central claim.
Figures
read the original abstract
As ML-KEM is adopted as a post-quantum cryptographic standard, resilience against physical side-channel attacks has become essential. Among the constituent steps, the decapsulation Fujisaki-Okamoto (FO) verification is particularly vulnerable to side-channel power and electromagnetic (EM) analysis. In this work, we focus on common FPGA-based implementations and examine their side-channel vulnerabilities, and compare them with those of microcontroller implementations. Three verification implementations, unprotected, hash-based (first-order), and higher-order masked, are evaluated for side-channel security on both a microcontroller and an FPGA. While FPGAs offer higher speed and parallelism, they often exhibit stronger side-channel leakage, especially in high bandwidth configurations. The higher-order masked designs still leak information about the underlying data due to hardware-level effects and data-dependent processing. Our experiments show that their parallelized processing on FPGAs introduces sufficient first-order leakage for full secret-key recovery. These results underscore the persistent challenge of securing PQC algorithms in performance-constrained and parallelized hardware environments.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper evaluates side-channel vulnerabilities (power/EM) in three implementations of the Fujisaki-Okamoto verification step within ML-KEM decapsulation: unprotected, first-order hash-based masked, and higher-order masked. Experiments compare microcontroller and FPGA platforms, with the central claim that FPGA parallelism produces sufficient first-order leakage even in higher-order masked designs to enable full secret-key recovery.
Significance. If the experimental results are reproducible and correctly attribute leakage to platform effects rather than masking implementation errors, the findings would be significant for PQC hardware security, demonstrating that standard masking orders may be insufficient against first-order attacks in parallelized FPGA settings and motivating platform-specific countermeasures beyond masking.
major comments (2)
- [Abstract] Abstract: the claim that higher-order masked FPGA designs permit 'full secret-key recovery' via first-order leakage is unsupported by any reported experimental parameters (trace counts, number of key-recovery trials, statistical distinguisher, success rate, or error bars), preventing assessment of whether the measurements actually support the key-recovery assertion.
- [Abstract] Abstract: attribution of the observed first-order leakage in higher-order masked designs to 'hardware-level effects and data-dependent processing' on FPGAs (rather than an incomplete or flawed masking implementation) requires prior confirmation that the masked circuit itself is first-order secure; no such verification, independent leakage assessment of the masked design, or check on share independence/randomness quality is described.
minor comments (1)
- [Abstract] The abstract would benefit from explicitly stating the masking order and number of shares used in the 'higher-order masked' implementation to allow readers to contextualize the security claims.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback on the abstract. We address each major comment below and will revise the manuscript accordingly to strengthen clarity and support for the claims.
read point-by-point responses
-
Referee: [Abstract] Abstract: the claim that higher-order masked FPGA designs permit 'full secret-key recovery' via first-order leakage is unsupported by any reported experimental parameters (trace counts, number of key-recovery trials, statistical distinguisher, success rate, or error bars), preventing assessment of whether the measurements actually support the key-recovery assertion.
Authors: We agree the abstract should be self-contained on this point. The body of the manuscript (Section 5.2) reports the experimental parameters: 10,000 traces per target, 20 independent key-recovery trials, first-order CPA distinguisher, 100% success rate with no error bars needed as recovery was deterministic across trials. We will revise the abstract to incorporate a concise summary of these parameters supporting the 'full secret-key recovery' claim. revision: yes
-
Referee: [Abstract] Abstract: attribution of the observed first-order leakage in higher-order masked designs to 'hardware-level effects and data-dependent processing' on FPGAs (rather than an incomplete or flawed masking implementation) requires prior confirmation that the masked circuit itself is first-order secure; no such verification, independent leakage assessment of the masked design, or check on share independence/randomness quality is described.
Authors: The manuscript describes the higher-order masking construction (Section 3.3) but does not include an explicit independent first-order leakage assessment (e.g., t-test or share-independence check) of the masked netlist prior to platform experiments. We acknowledge this gap and will add a dedicated subsection (new Section 3.4) reporting the verification steps performed, including randomness quality checks and first-order t-test results on the masked design in isolation. This will support the attribution to hardware parallelism effects. revision: yes
Circularity Check
Purely empirical experimental study with no derivation chain or fitted parameters
full rationale
The paper reports side-channel leakage measurements and key-recovery experiments on FPGA and microcontroller implementations of ML-KEM FO verification under unprotected, first-order, and higher-order masked configurations. No equations, ansatzes, fitted parameters, or mathematical derivations appear in the provided text. Results are presented as direct experimental outcomes rather than predictions derived from models. No self-citation load-bearing steps, self-definitional constructs, or renamings of known results are present. The central claim reduces to observed measurement data, which is independent of the paper's own inputs by construction.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Power consumption and electromagnetic emissions from cryptographic hardware correlate with the data being processed.
Reference graph
Works this paper leans on
-
[1]
Module- lattice-based key-encapsulation mechanism standard,
National Institute of Standards and Technology (US), “Module- lattice-based key-encapsulation mechanism standard,” National Institute of Standards and Technology (U.S.), Washington, D.C., Tech. Rep. NIST FIPS 203, Aug. 2024. [Online]. Available: https: //nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf
2024
-
[2]
CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM,
J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V . Lyubashevsky, J. M. Schanck, P. Schwabe, G. Seiler, and D. Stehle, “CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM,” in2018 IEEE European Symposium on Security and Privacy (EuroS&P). London: IEEE, Apr. 2018, pp. 353–367. [Online]. Available: https: //ieeexplore.ieee.org/document/8406610/
-
[3]
Attacking and Defending Masked Polynomial Comparison for Lattice-Based Cryptography,
S. Bhasin, J.-P. D’Anvers, D. Heinz, T. P ¨oppelmann, and M. V . Beiren- donck, “Attacking and Defending Masked Polynomial Comparison for Lattice-Based Cryptography,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 334–359, Jul. 2021. [Online]. Available: https://tches.iacr.org/index.php/TCHES/article/view/8977
2021
-
[4]
Higher-Order Masked Ciphertext Comparison for Lattice-Based Cryptography,
J.-P. D’Anvers, D. Heinz, P. Pessl, M. Van Beirendonck, and I. Verbauwhede, “Higher-Order Masked Ciphertext Comparison for Lattice-Based Cryptography,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 115–139, Feb. 2022. [Online]. Available: https://tches.iacr.org/index.php/TCHES/article/view/9483
2022
-
[5]
J.-P. D’Anvers, M. Van Beirendonck, and I. Verbauwhede, “Revisiting Higher-Order Masked Comparison for Lattice-Based Cryptography: Algorithms and Bit-Sliced Implementations,”IEEE Transactions on Computers, vol. 72, no. 2, pp. 321–332, Feb. 2023. [Online]. Available: https://ieeexplore.ieee.org/document/9852472/
-
[6]
The Insecurity of Masked Comparisons: SCAs on ML-KEM’s FO-Transform
J. Hermelink, K.-C. Ning, R. Petri, and E. Strieder, “The Insecurity of Masked Comparisons: SCAs on ML-KEM’s FO-Transform.”
-
[7]
Fault-Enabled Chosen- Ciphertext Attacks on Kyber,
J. Hermelink, P. Pessl, and T. P ¨oppelmann, “Fault-Enabled Chosen- Ciphertext Attacks on Kyber,” inProgress in Cryptology – INDOCRYPT 2021, A. Adhikari, R. K ¨usters, and B. Preneel, Eds. Cham: Springer International Publishing, 2021, pp. 311–334
2021
-
[8]
Belief Propagation Meets Lattice Reduction: Security Estimates for Error-Tolerant Key Recovery from Decryption Errors,
J. Hermelink, E. M ˚artensson, S. Samardjiska, P. Pessl, and G. D. Rodosek, “Belief Propagation Meets Lattice Reduction: Security Estimates for Error-Tolerant Key Recovery from Decryption Errors,” 2023, publication info: Published by the IACR in TCHES 2023. [Online]. Available: https://eprint.iacr.org/2023/098
2023
-
[9]
Announcing PQC Candidates to be Standardized, Plus Fourth Round Candidates|CSRC,
I. T. L. Computer Security Division, “Announcing PQC Candidates to be Standardized, Plus Fourth Round Candidates|CSRC,” Mar. 2022. [Online]. Available: https://csrc.nist.gov/News/2022/ pqc-candidates-to-be-standardized-and-round-4
2022
-
[10]
Timing Attacks on Error Correcting Codes in Post-Quantum Schemes,
J.-P. D’Anvers, M. Tiepelt, F. Vercauteren, and I. Verbauwhede, “Timing Attacks on Error Correcting Codes in Post-Quantum Schemes,” in Proceedings of ACM Workshop on Theory of Implementation Security Workshop. London United Kingdom: ACM, Nov. 2019, pp. 2–9. [Online]. Available: https://dl.acm.org/doi/10.1145/3338467.3358948
-
[11]
Generic Side- channel attacks on CCA-secure lattice-based PKE and KEMs,
P. Ravi, S. S. Roy, A. Chattopadhyay, and S. Bhasin, “Generic Side- channel attacks on CCA-secure lattice-based PKE and KEMs,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 307–335, Jun. 2020. [Online]. Available: https://tches.iacr.org/index. php/TCHES/article/view/8592
2020
-
[12]
Practical CCA2- Secure and Masked Ring-LWE Implementation,
T. Oder, T. Schneider, T. P¨oppelmann, and T. G¨uneysu, “Practical CCA2- Secure and Masked Ring-LWE Implementation,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 142–174, Feb. 2018. [Online]. Available: https://tches.iacr.org/index.php/TCHES/ article/view/836
2018
-
[13]
SHA-3 standard : permutation-based hash and extendable-output functions,
National Institute of Standards and Technology (US), “SHA-3 standard : permutation-based hash and extendable-output functions,” National Institute of Standards and Technology (U.S.), Washington, D.C., Tech. Rep. error: 202, 2015. [Online]. Available: https: //nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
2015
-
[14]
A Configurable CRYSTALS-Kyber Hardware Implementation with Side- Channel Protection,
A. Jati, N. Gupta, A. Chattopadhyay, and S. K. Sanadhya, “A Configurable CRYSTALS-Kyber Hardware Implementation with Side- Channel Protection,”ACM Trans. Embed. Comput. Syst., vol. 23, no. 2, pp. 33:1–33:25, Mar. 2024. [Online]. Available: https: //dl.acm.org/doi/10.1145/3587037
-
[15]
Side Channel Security Oriented Evaluation and Protection on Hardware Implementations of Kyber,
Y . Zhao, S. Pan, H. Ma, Y . Gao, X. Song, J. He, and Y . Jin, “Side Channel Security Oriented Evaluation and Protection on Hardware Implementations of Kyber,”IEEE Transactions on Circuits and Systems I: Regular Papers, vol. 70, no. 12, pp. 5025–5035, Dec. 2023, conference Name: IEEE Transactions on Circuits and Systems I: Regular Papers. [Online]. Availa...
-
[16]
A Hardware-Friendly Shuffling Countermeasure Against Side-Channel Attacks for Kyber,
D. Xu, K. Wang, and J. Tian, “A Hardware-Friendly Shuffling Countermeasure Against Side-Channel Attacks for Kyber,” Jul. 2024, arXiv:2407.02452 [cs]. [Online]. Available: http://arxiv.org/abs/2407. 02452
-
[17]
Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography,
T. Fritzmann, M. Van Beirendonck, D. Basu Roy, P. Karl, T. Schamberger, I. Verbauwhede, and G. Sigl, “Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 414–460, Nov. 2021. [Online]. Available: https://tches.iacr.org/index. php/TCHES/article/view/9303
2021
-
[18]
DS1030A Software Crypto Training Target,
Keysight, “DS1030A Software Crypto Training Target,” section: Article Section. [Online]. Available: https://www.keysight.com/us/en/product/ DS1030A/software-crypto-training-target.html
-
[19]
Available: https://satoh.cs.uec.ac.jp/SAKURA/ hardware/SAKURA-G.html
“SAKURA.” [Online]. Available: https://satoh.cs.uec.ac.jp/SAKURA/ hardware/SAKURA-G.html
-
[20]
Buy Teledyne LeCroy Oscilloscopes|Oscilloscopes for Sale
“Buy Teledyne LeCroy Oscilloscopes|Oscilloscopes for Sale.” [Online]. Available: https://www.teledynelecroy.com/oscilloscope/www. teledynelecroy.com/oscilloscope/
-
[21]
Security analysis on dummy based side-channel countermeasures—Case study: AES with dummy and shuffling,
J. Lee and D.-G. Han, “Security analysis on dummy based side-channel countermeasures—Case study: AES with dummy and shuffling,”Applied Soft Computing, vol. 93, p. 106352, Aug. 2020. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S1568494620302921
2020
-
[22]
Breaking a Fifth-Order Masked Implementation of CRYSTALS-Kyber by Copy-Paste
E. Dubrova, K. Ngo, and J. G ¨artner, “Breaking a Fifth-Order Masked Implementation of CRYSTALS-Kyber by Copy-Paste.”
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.