{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,18]],"date-time":"2026-06-18T16:10:54Z","timestamp":1781799054201,"version":"3.54.5"},"reference-count":35,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2025,12,24]],"date-time":"2025-12-24T00:00:00Z","timestamp":1766534400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,12,24]],"date-time":"2025-12-24T00:00:00Z","timestamp":1766534400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100013000","name":"Politecnico di Torino","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100013000","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Des. Codes Cryptogr."],"published-print":{"date-parts":[[2026,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>\n                    A partial key exposure attack is a key recovery attack where an adversary obtains a priori partial knowledge of the secret key, e.g., through side-channel leakage. While for a long time post-quantum cryptosystems, unlike RSA, have been believed to be resistant to such attacks, recent results by Esser, May, Verbel, and Wen (CRYPTO \u201922), and by Kirshanova and May (SCN \u201922), have refuted this belief. In this work, we focus on partial key exposure attacks in the context of rank-metric-based schemes, particularly targeting the RYDE, MIRA, and MiRitH digital signatures schemes, which are active candidates in the NIST post-quantum cryptography standardization process. We demonstrate that, similar to the RSA case, the secret key in RYDE can be recovered from a constant fraction of its bits. Specifically, for NIST category I parameters, our attacks remain efficient even when less than 25% of the key material is leaked. Interestingly, our attacks lead to a natural improvement of the best generic attack on RYDE\n                    <jats:italic>without partial knowledge<\/jats:italic>\n                    , reducing security levels by up to 9 bits. For MIRA and MiRitH our attacks remain efficient as long as roughly 57\u201360% of the secret key material is leaked. Additionally, we initiate the study of partial exposure of the witness in constructions following the popular MPCitH (MPC-in-the-Head) paradigm. We show a generic reduction from recovering RYDE and MIRA\u2019s witness to the MinRank problem, which again leads to efficient key recovery from constant fractions of the secret witness in both cases.\n                  <\/jats:p>","DOI":"10.1007\/s10623-025-01738-1","type":"journal-article","created":{"date-parts":[[2025,12,24]],"date-time":"2025-12-24T07:15:34Z","timestamp":1766560534000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Sneaking up the ranks: Partial key exposure attacks on rank-based schemes"],"prefix":"10.1007","volume":"94","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7377-6617","authenticated-orcid":false,"given":"Giuseppe","family":"D\u2019Alconzo","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5806-3600","authenticated-orcid":false,"given":"Andre","family":"Esser","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9689-8473","authenticated-orcid":false,"given":"Andrea","family":"Gangemi","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2111-7596","authenticated-orcid":false,"given":"Carlo","family":"Sanna","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2025,12,24]]},"reference":[{"key":"1738_CR1","unstructured":"Adj G., Barbero S., Bellini E., Esser A., Rivera-Zamarripa L., Sanna C., Verbel J., Zweydinger F.: MiRitH specification (2023). https:\/\/pqc-mirith.org\/assets\/downloads\/mirith_specifications_v1.0.0.pdf."},{"key":"1738_CR2","doi-asserted-by":"crossref","unstructured":"Adj G., Aragon N., Barbero S., Bardet M., Bellini E., Bidoux L., Chi-Dom\u00ednguez J.-J., Dyseryn V., Esser A., Feneuil T., Gaborit P., Neveu R., Rivain M., Rivera-Zamarripa L., Sanna C., Tillich J.-P., Verbel J., Zweydinger F.: MIRATH website (2024). https:\/\/pqc-mirath.org.","DOI":"10.46586\/tches.v2024.i2.304-328"},{"key":"1738_CR3","doi-asserted-by":"publisher","unstructured":"Alagic G., et al.: Status report on the first round of the additional digital signature schemes for the NIST post-quantum cryptography standardization process. Technical report, NIST (October 2024). https:\/\/doi.org\/10.6028\/NIST.IR.8528.","DOI":"10.6028\/NIST.IR.8528"},{"key":"1738_CR4","doi-asserted-by":"crossref","unstructured":"Aragon N., Gaborit P., Hauteville A., Tillich J.-P.: A new algorithm for solving the rank syndrome decoding problem. In: 2018 IEEE International Symposium on Information Theory (ISIT), pp. 2421\u20132425. IEEE (2018).","DOI":"10.1109\/ISIT.2018.8437464"},{"key":"1738_CR5","unstructured":"Aragon N., Barreto P., Bettaieb S., Bidoux L., Blazy O., Deneuville J.-C., Gaborit P., Ghosh S., Gueron S., G\u00fcneysu T., et al.: BIKE: bit flipping key encapsulation. HAL Open Sci. (2022)."},{"key":"1738_CR6","unstructured":"Aragon N., Bardet M., Bidoux L., Chi-Dom\u00ednguez J.-J., Dyseryn V., Feneuil T., Gaborit P., Joux A., Rivain M., Tillich J.-P., Vin\u00e7otte A.: RYDE specification (2023). https:\/\/pqc-ryde.org\/assets\/downloads\/ryde_spec.pdf."},{"key":"1738_CR7","unstructured":"Aragon N., Bardet M., Bidoux L., Chi-Dom\u00ednguez J.-J., Dyseryn V., Feneuil T., Gaborit P., Neveu R., Rivain M., Tillich J.-P.: MIRA specification (2023). https:\/\/pqc-mira.org\/assets\/downloads\/mira_spec.pdf."},{"key":"1738_CR8","doi-asserted-by":"crossref","unstructured":"Baum C., Braun L., Saint\u00a0Guilhem C.D., Kloo\u00df M., Orsini E., Roy L., Scholl P.: Publicly verifiable zero-knowledge and post-quantum signatures from vole-in-the-head. In: Annual International Cryptology Conference, pp. 581\u2013615. Springer, New York (2023).","DOI":"10.1007\/978-3-031-38554-4_19"},{"key":"1738_CR9","volume-title":"NTRU Algorithm Specifications and Supporting Documentation","author":"C Chen","year":"2019","unstructured":"Chen C., Danba O., Hoffstein J., H\u00fclsing A., Rijneveld J., Schanck J.M., Schwabe P., Whyte W., Zhang Z.: NTRU Algorithm Specifications and Supporting Documentation. Brown University and Onboard Security Company, Wilmington (2019)."},{"issue":"4","key":"1738_CR10","doi-asserted-by":"publisher","first-page":"233","DOI":"10.1007\/s001459900030","volume":"10","author":"D Coppersmith","year":"1997","unstructured":"Coppersmith D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233\u2013260 (1997). https:\/\/doi.org\/10.1007\/s001459900030.","journal-title":"J. Cryptol."},{"issue":"1","key":"1738_CR11","doi-asserted-by":"publisher","first-page":"72","DOI":"10.1515\/jmc-2020-0075","volume":"15","author":"D Dachman-Soled","year":"2020","unstructured":"Dachman-Soled D., Gong H., Kulkarni M., Shahverdi A.: (In) security of ring-LWE under partial key exposure. J. Math. Cryptol. 15(1), 72\u201386 (2020).","journal-title":"J. Math. Cryptol."},{"key":"1738_CR12","unstructured":"Ding J., Chen M.-S., Petzoldt A., Schmidt D., Yang B.-Y., Kannwischer M., Patarin J.: Rainbow-algorithm specification and documentation. Specification document of NIST PQC 2nd round submission package (2019)."},{"key":"1738_CR13","unstructured":"Dumer I.: On minimum distance decoding of linear codes. In: Proceedings of the Fifth Joint Soviet\u2013Swedish International Workshop on Information Theory, pp. 50\u201352. Moscow (1991)."},{"key":"1738_CR14","doi-asserted-by":"publisher","unstructured":"Ernst M., Jochemsz E., May A., Weger B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer R. (ed.) EUROCRYPT\u00a02005. LNCS, vol. 3494, pp. 371\u2013386. Springer, New York (2005). https:\/\/doi.org\/10.1007\/11426639_22.","DOI":"10.1007\/11426639_22"},{"key":"1738_CR15","doi-asserted-by":"publisher","unstructured":"Esser A., Bellini E.: Syndrome decoding estimator. In: Hanaoka G., Shikata J., Watanabe Y. (eds.) PKC\u00a02022, Part\u00a0I. LNCS, vol. 13177, pp. 112\u2013141. Springer, New York (2022). https:\/\/doi.org\/10.1007\/978-3-030-97121-2_5.","DOI":"10.1007\/978-3-030-97121-2_5"},{"key":"1738_CR16","doi-asserted-by":"publisher","unstructured":"Esser A., May A., Verbel J.A., Wen W.: Partial key exposure attacks on BIKE, rainbow and NTRU. In: Dodis Y., Shrimpton T. (eds.) CRYPTO\u00a02022, Part\u00a0III. LNCS, vol. 13509, pp. 346\u2013375. Springer, New York (2022). https:\/\/doi.org\/10.1007\/978-3-031-15982-4_12.","DOI":"10.1007\/978-3-031-15982-4_12"},{"key":"1738_CR17","doi-asserted-by":"crossref","unstructured":"Esser A., Verbel J., Zweydinger F., Bellini E.: SoK: CryptographicEstimators\u2014a software library for cryptographic hardness estimation. In: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, pp. 560\u2013574 (2024).","DOI":"10.1145\/3634737.3645007"},{"key":"1738_CR18","doi-asserted-by":"crossref","unstructured":"Fiat A., Shamir A.: How to prove yourself: practical solutions to identification and signature problems. In: Conference on the Theory and Application of Cryptographic Techniques, pp. 186\u2013194. Springer, New York (1986).","DOI":"10.1007\/3-540-47721-7_12"},{"issue":"2","key":"1738_CR19","doi-asserted-by":"publisher","first-page":"1006","DOI":"10.1109\/TIT.2015.2511786","volume":"62","author":"P Gaborit","year":"2015","unstructured":"Gaborit P., Ruatta O., Schrek J.: On the complexity of the rank syndrome decoding problem. IEEE Trans. Inf. Theory 62(2), 1006\u20131019 (2015).","journal-title":"IEEE Trans. Inf. Theory"},{"issue":"2","key":"1738_CR20","doi-asserted-by":"publisher","first-page":"91","DOI":"10.1007\/s00145-004-0215-y","volume":"18","author":"R Gennaro","year":"2005","unstructured":"Gennaro R.: An improved pseudo-random generator based on the discrete logarithm problem. J. Cryptol. 18(2), 91\u2013110 (2005). https:\/\/doi.org\/10.1007\/s00145-004-0215-y.","journal-title":"J. Cryptol."},{"key":"1738_CR21","doi-asserted-by":"crossref","unstructured":"Goubin L., Courtois N.T.: Cryptanalysis of the TTM cryptosystem. In: Advances in Cryptology\u2013ASIACRYPT 2000: 6th International Conference on the Theory and Application of Cryptology and Information Security Kyoto, Japan, December 3\u20137, 2000 Proceedings, vol. 6, pp. 44\u201357. Springer, New York (2000).","DOI":"10.1007\/3-540-44448-3_4"},{"key":"1738_CR22","doi-asserted-by":"publisher","unstructured":"Heninger N., Shacham H.: Reconstructing RSA private keys from random key bits. In: Halevi S. (ed.) CRYPTO\u00a02009. LNCS, vol. 5677, pp. 1\u201317. Springer, New York (2009). https:\/\/doi.org\/10.1007\/978-3-642-03356-8_1.","DOI":"10.1007\/978-3-642-03356-8_1"},{"key":"1738_CR23","doi-asserted-by":"crossref","unstructured":"Ishai Y., Kushilevitz E., Ostrovsky R., Sahai A.: Zero-knowledge from secure multiparty computation. In: Proceedings of the Thirty-Ninth Annual ACM Symposium on Theory of Computing, pp. 21\u201330 (2007).","DOI":"10.1145\/1250790.1250794"},{"key":"1738_CR24","doi-asserted-by":"crossref","unstructured":"Kirshanova E., May A.: Decoding McEliece with a hint\u2014secret Goppa key parts reveal everything. In: International Conference on Security and Cryptography for Networks, pp. 3\u201320. Springer, New York (2022).","DOI":"10.1007\/978-3-031-14791-3_1"},{"key":"1738_CR25","doi-asserted-by":"publisher","unstructured":"May A., Nowakowski J., Sarkar S.: Partial key exposure attack on short secret exponent CRT-RSA. In: Tibouchi M., Wang H. (eds.) ASIACRYPT\u00a02021, Part\u00a0I. LNCS, vol. 13090, pp. 99\u2013129. Springer, New York (2021). https:\/\/doi.org\/10.1007\/978-3-030-92062-3_4.","DOI":"10.1007\/978-3-030-92062-3_4"},{"key":"1738_CR26","doi-asserted-by":"publisher","unstructured":"May A., Nowakowski J., Sarkar S.: Approximate divisor multiples\u2014factoring with only a third of the secret CRT-exponents. In: Dunkelman O., Dziembowski S. (eds.) EUROCRYPT\u00a02022, Part\u00a0III. LNCS, vol. 13277, pp. 147\u2013167. Springer, New York (2022). https:\/\/doi.org\/10.1007\/978-3-031-07082-2_6.","DOI":"10.1007\/978-3-031-07082-2_6"},{"key":"1738_CR27","first-page":"114","volume":"42\u201344","author":"RJ McEliece","year":"1978","unstructured":"McEliece R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep. 42\u201344, 114\u2013116 (1978).","journal-title":"DSN Prog. Rep."},{"issue":"2","key":"1738_CR28","first-page":"157","volume":"15","author":"H Niederreiter","year":"1986","unstructured":"Niederreiter H.: Knapsack-type cryptosystems and algebraic coding theory. Probab. Control Inf. Theory 15(2), 157\u2013166 (1986).","journal-title":"Probab. Control Inf. Theory"},{"issue":"3","key":"1738_CR29","doi-asserted-by":"publisher","first-page":"559","DOI":"10.1090\/S0002-9947-1933-1501703-0","volume":"35","author":"O Ore","year":"1933","unstructured":"Ore O.: On a special class of polynomials. Trans. Am. Math. Soc. 35(3), 559\u2013584 (1933).","journal-title":"Trans. Am. Math. Soc."},{"key":"1738_CR30","doi-asserted-by":"publisher","unstructured":"Patel S., Sundaram G.S.: An efficient discrete log pseudo random generator. In: Krawczyk H. (ed.) CRYPTO\u201998. LNCS, vol. 1462, pp. 304\u2013317. Springer, New York (1998). https:\/\/doi.org\/10.1007\/BFb0055737.","DOI":"10.1007\/BFb0055737"},{"key":"1738_CR31","doi-asserted-by":"crossref","unstructured":"Paterson K.G., Villanueva-Polanco R.: Cold boot attacks on NTRU. In: Patra A., Smart N.P. (eds.) INDOCRYPT\u00a02017. LNCS, vol. 10698, pp. 107\u2013125. Springer, New York (2017).","DOI":"10.1007\/978-3-319-71667-1_6"},{"key":"1738_CR32","doi-asserted-by":"publisher","unstructured":"Takayasu A., Kunihiro N.: Partial key exposure attacks on RSA: achieving the Boneh-Durfee bound. In: Joux A., Youssef A.M. (eds.) SAC 2014. LNCS, vol. 8781, pp. 345\u2013362. Springer, New York (2014). https:\/\/doi.org\/10.1007\/978-3-319-13051-4_21.","DOI":"10.1007\/978-3-319-13051-4_21"},{"key":"1738_CR33","doi-asserted-by":"publisher","unstructured":"Villanueva-Polanco R.: Cold boot attacks on Bliss. In: Schwabe P., Th\u00e9riault N. (eds.) LATINCRYPT\u00a02019. LNCS, vol. 11774, pp. 40\u201361. Springer, New York (2019). https:\/\/doi.org\/10.1007\/978-3-030-30530-7_3.","DOI":"10.1007\/978-3-030-30530-7_3"},{"key":"1738_CR34","doi-asserted-by":"crossref","unstructured":"Villanueva-Polanco R.: Cold boot attacks on post-quantum schemes. PhD thesis, Royal Holloway, University of London (2019).","DOI":"10.3390\/app10124106"},{"issue":"12","key":"1738_CR35","doi-asserted-by":"publisher","first-page":"4106","DOI":"10.3390\/app10124106","volume":"10","author":"R Villanueva-Polanco","year":"2020","unstructured":"Villanueva-Polanco R.: Cold boot attacks on LUOV. Appl. Sci. 10(12), 4106 (2020).","journal-title":"Appl. Sci."}],"container-title":["Designs, Codes and Cryptography"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10623-025-01738-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10623-025-01738-1","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10623-025-01738-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,26]],"date-time":"2026-01-26T17:13:09Z","timestamp":1769447589000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10623-025-01738-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12,24]]},"references-count":35,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2026,1]]}},"alternative-id":["1738"],"URL":"https:\/\/doi.org\/10.1007\/s10623-025-01738-1","relation":{},"ISSN":["0925-1022","1573-7586"],"issn-type":[{"value":"0925-1022","type":"print"},{"value":"1573-7586","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,12,24]]},"assertion":[{"value":"24 December 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"24 December 2024","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 November 2025","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"24 December 2025","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"Not applicable.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Consent to participate"}},{"value":"Not applicable.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Consent for publication"}},{"value":"Not applicable.","order":5,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}},{"value":"Not applicable.","order":6,"name":"Ethics","group":{"name":"EthicsHeading","label":"Materials availability"}},{"value":"Not applicable.","order":7,"name":"Ethics","group":{"name":"EthicsHeading","label":"Code availability"}}],"article-number":"15"}}