{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,17]],"date-time":"2026-01-17T01:23:40Z","timestamp":1768613020752,"version":"3.49.0"},"reference-count":0,"publisher":"Universitatsbibliothek der Ruhr-Universitat Bochum","issue":"1","license":[{"start":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T00:00:00Z","timestamp":1768521600000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["TCHES"],"abstract":"<jats:p>In this paper, we revisit the protection of Kyber\u2019s NTT implementation against plaintext-checking side-channel attacks, for which the current mainstream solution is to combine masking and shuffling. For this purpose, we first bring consolidating arguments why shuffling alone is (theoretically) of limited help to improve security against such distinguishing attacks, and why masking alone may be (practically) hindered by a lack of physical noise in low-cost embedded devices. We then discuss the challenges to address when implementing and (mostly) evaluating masked and shuffled implementations, and the lack of easy-to-extrapolate scaling trends for such a mix of countermeasures. We use this discussion as a motivation for a simpler approach, namely refreshing the layers of the NTT thanks to simple gadgets with linear overheads. Using both simulated analyses and actual experiments, we show that such an approach can limit the propagation of information through the NTT layers via belief propagation, even in low-noise contexts. We also show that this combination can simplify the side-channel security evaluation of a protected NTT implementation, and lead to the exponential security amplification that is expected when masking. As side contributions, we discuss the significant differences between the (very leaky) reference C implementation of Kyber\u2019s NTT and an efficient assembly one, together with the profiling difficulties raised by lazy reduction techniques.<\/jats:p>","DOI":"10.46586\/tches.v2026.i1.472-499","type":"journal-article","created":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T15:13:44Z","timestamp":1768576424000},"page":"472-499","source":"Crossref","is-referenced-by-count":0,"title":["Keep it Simple: Refreshing the NTT of Kyber\u2019s Decapsulation to Prevent Plaintext-Checking Side-Channel Attacks"],"prefix":"10.46586","volume":"2026","author":[{"given":"Duy\u00ean","family":"Pay","sequence":"first","affiliation":[]},{"given":"Fran\u00e7ois-Xavier","family":"Standaert","sequence":"additional","affiliation":[]}],"member":"25480","published-online":{"date-parts":[[2026,1,16]]},"container-title":["IACR Transactions on Cryptographic Hardware and Embedded Systems"],"original-title":[],"link":[{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/download\/12690\/12372","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/download\/12690\/12372","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T15:13:44Z","timestamp":1768576424000},"score":1,"resource":{"primary":{"URL":"https:\/\/tches.iacr.org\/index.php\/TCHES\/article\/view\/12690"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,16]]},"references-count":0,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,1,16]]}},"URL":"https:\/\/doi.org\/10.46586\/tches.v2026.i1.472-499","relation":{},"ISSN":["2569-2925"],"issn-type":[{"value":"2569-2925","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,16]]}}}