Hey Kyber, Give Me a Sign! Side-Channel Risks Explained
As quantum resistant algorithms move closer to standardisation, understanding how they behave in real-world implementations is increasingly important – particularly when it comes to side channel resilience.
While much of the focus in post-quantum cryptography has been on algorithmic strength, this research serves as a timely reminder that implementation details can have an equally significant impact on security.
In this latest collaboration with eShard, we review a significant side-channel vulnerability in lattice-based implementations, as discovered earlier this year by Tolun Tosun, Amir Moradi, and Erkay Savas.
Their work highlights how characteristics shared by many implementations can be exploited in practice, even when established countermeasures such as masking are applied.
A Closer Look at the Vulnerability
The research describes the leveraging of many implementations, particularly ML-KEM and ML-DSA, to mount a side-channel attack that works around masking countermeasures.This ongoing series continues our detailed look at side-channel masked implementations, and highlights the importance of understanding the security of these techniques.
With the NIST standards expected to be widely adopted later this year, the impact of this work is likely to be felt in the immediate future.
Why This Matters for Post-Quantum Implementations
Post-quantum cryptography is moving from research into real-world use. As this happens, implementation security becomes just as important as the algorithms themselves.
This research shows that even when masking is applied, weaknesses can still appear. Choices such as signed arithmetic or how values are reduced can create side-channel leakage. These details are often overlooked but can have a real impact on security.
The findings also challenge the assumption that linear operations are easy to protect. In some cases, first-order masking does not provide enough protection on its own.
Implications Ahead of NIST Standard Adoption
The NIST post-quantum standards are expected to be adopted widely later this year. Many organisations are preparing to implement ML-KEM and ML-DSA as a result.
This work highlights the need to look closely at how these schemes are implemented in practice. Meeting the standard is only one part of the challenge. Implementations also need to be tested against realistic side-channel attacks.
As post-quantum deployments increase, careful design and thorough validation will be essential. This will help ensure that new cryptographic systems deliver the level of security they are intended to provide.
Find out more about our view on this topic here.
Want to find out more?
If you’d like to understand how these findings could affect your post-quantum strategy, or how PQShield approaches side-channel-resistant implementations, get in touch with the team to continue the conversation.
Frequently Asked Questions
What are quantum resistant algorithms?
Quantum resistant algorithms are cryptographic algorithms designed to remain secure against attacks from quantum computers.
Why are ML-KEM and ML-DSA significant?
They are lattice-based schemes selected by NIST for future post-quantum encryption and digital signatures.
What is central modular reduction?
It is a method where values are reduced to a signed range centred around zero, often for efficiency.
Why does signed arithmetic matter for side-channel security?
Signed representations can leak information through Hamming weight differences, enabling stronger attacks.
Does this mean masking is ineffective?
No, but the research shows that first-order masking alone may not be sufficient in some implementations.