Side-channel attacks on post-quantum cryptography
Side-channel attacks recover secret keys from how a cryptographic implementation behaves, not from any weakness in the underlying mathematics. By measuring the time an operation takes, the power it draws, its electromagnetic emissions, or its cache behavior, an attacker can infer the secret data being processed. A post-quantum algorithm such as ML-KEM can be mathematically sound and still leak its key through a careless implementation.
Why post-quantum schemes are exposed
The NIST standards specify algorithms, not the exact machine code that runs them, and the new schemes have internal steps that are easy to implement in a way that leaks. Lattice schemes perform rejection sampling, modular reduction, and polynomial arithmetic whose running time or memory access pattern can depend on secret values. Hash-based and code-based schemes have their own sensitive steps. Because these algorithms are newer than RSA and elliptic-curve cryptography, the community has had less time to harden every implementation against the full catalogue of physical attacks.
Classes of attack
- Timing attacks exploit data-dependent execution time. They are the most dangerous class for networked software because they can sometimes be mounted remotely, without physical access.
- Power and electromagnetic attacks measure a device's power draw or emissions during an operation, and are a particular concern for smart cards and embedded hardware.
- Cache attacks observe which memory a victim touches through shared-cache timing, letting one process on a machine spy on another.
- Fault attacks deliberately induce errors, for example by glitching the clock or voltage, to make a signature or decryption reveal secret information.
KyberSlash
A concrete example is KyberSlash, disclosed in late 2023 and 2024. Several widely used implementations of ML-KEM (Kyber) divided by a secret-dependent value, and on many processors integer division takes a variable number of cycles. The timing of that division leaked information about the secret, and researchers showed that repeated measurements could recover the private key. The fix was to rewrite the division so its timing does not depend on secret data. KyberSlash affected the implementation layer only, not the ML-KEM standard itself, and it illustrates why implementation review matters as much as algorithm selection.
Countermeasures
The first line of defense is Constant-time implementation implementation: code whose execution time and memory access pattern never depend on secret data. Reference and production libraries such as those tracked by PQClean and liboqs treat constant-time behavior as a requirement and test for it. For hardware that faces power and electromagnetic analysis, developers add masking, which splits every secret into random shares so that no single measured value reveals it, and higher-order masking to resist more capable attackers. Fault attacks are countered with redundant computation and verification before a result is released. These defenses carry a performance cost, so implementers choose a level appropriate to their threat model, and standards guidance increasingly calls for validated, side-channel-resistant implementations rather than merely correct ones.
Sources
- KyberSlash: division timing side channels in ML-KEM implementations (Bernstein et al., 2024)
- FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
- Masking Kyber: First- and Higher-Order Implementations (IACR Transactions on CHES, 2021)
Cite this entry
"Side-channel attacks on post-quantum cryptography." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/side-channel-attacks@misc{pqwiki-side-channel-attacks,
title = {Side-channel attacks on post-quantum cryptography},
howpublished = {\url{https://postquantum.wiki/side-channel-attacks}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}