{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T16:36:44Z","timestamp":1773247004681,"version":"3.50.1"},"reference-count":33,"publisher":"International Association for Cryptologic Research","issue":"3","license":[{"start":{"date-parts":[[2025,7,8]],"date-time":"2025-07-08T00:00:00Z","timestamp":1751932800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,9,2]]},"abstract":"<jats:p>  In this work, we present methods for conducting higher-order non-profiled side-channel attacks on Lattice-Based Cryptography (LBC). Our analysis covers two scenarios: one where the device leakage is known and follows Hamming weight model, and another where the leakage model is not Hamming weight based and unknown to the attacker. We focus on the Post-Quantum Cryptography (PQC) standards, the Dilithium digital signature (i.e. ML-DSA) and the Kyber key encapsulation (i.e. ML-KEM) algorithms. For Hamming weight leakage, we develop efficient higher-order Correlation Power Analysis (HOCPA) attacks in which the attacker must compute a function known as the optimal prediction function. We revisit the definition of optimal prediction function and introduce a recursive method for computing it efficiently. Our approach is particularly useful when a closed-form formula is unavailable, as in LBC. Then, we introduce sin and cos prediction functions, which prove optimal for HOCPA attacks against second and higher-order masking protection. We validate our methods through simulations and real-device experiments on open-source masked implementations of Dilithium and Kyber on an Arm Cortex-M4. On the real device, we achieve full secret-key recovery using only 700 and 2400 traces for second and third-order masked implementations of Dilithium, and 2200 and 14500 traces for second and third-order masked implementations of Kyber, respectively. For the unknown leakage scenarios, we leverage generic Side-Channel Analysis (SCA) distinguishers. A key challenge here is the injectivity of modular multiplications in NTT based polynomial multiplication, typically addressed by bit-dropping in the literature. However, we experimentally show that bit-dropping is largely inefficient against protected implementations of LBC. To overcome this limitation, we present a novel two-step attack to Kyber, combining generic distinguishers and lattice reduction techniques. Our approach decreases the number of predictions from q^2 to q and does not rely on bit-dropping. Our experimental results demonstrate a speed-up of up to 23490x in attack run-time over the baseline along with improved success rate. In certain scenarios, higher-order attacks become feasible only through the proposed approach, as classical methods are shown to be unsuccessful. <\/jats:p>","DOI":"10.62056\/a0txl8n4e","type":"journal-article","created":{"date-parts":[[2025,10,6]],"date-time":"2025-10-06T18:49:52Z","timestamp":1759776592000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":2,"title":["Non-Profiled Higher-Order Side-Channel Attacks against Lattice-Based Post-Quantum Cryptography"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7665-5324","authenticated-orcid":false,"given":"Tolun","family":"Tosun","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/049asqa32","id-type":"ROR","asserted-by":"publisher"}],"name":"Sabanci University","place":["Universite St.27, Tuzla, Istanbul, 34956, Turkiye"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7502-3184","authenticated-orcid":false,"given":"Elisabeth","family":"Oswald","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05q9m0937","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Klagenfurt","place":["Universit\u00e4tsstra\u00dfe 65\/67, Klagenfurt, 9020, Austria"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4869-5556","authenticated-orcid":false,"given":"Erkay","family":"Sava\u015f","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/049asqa32","id-type":"ROR","asserted-by":"publisher"}],"name":"Sabanci University","place":["Universite St.27, Tuzla, Istanbul, 34956, Turkiye"]}]}],"member":"48349","published-online":{"date-parts":[[2025,10,6]]},"reference":[{"key":"ref1:FOCS:Shor94","doi-asserted-by":"publisher","first-page":"124","DOI":"10.1109\/SFCS.1994.365700","article-title":"Algorithms for quantum computation: discrete logarithms and\n  factoring","author":"Peter W Shor","year":"1994"},{"key":"ref2:bos2018crystals","doi-asserted-by":"publisher","first-page":"353","DOI":"10.1109\/EuroSP.2018.00032","article-title":"CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM","author":"Joppe Bos","year":"2018"},{"key":"ref3:ducas2018crystals","doi-asserted-by":"publisher","first-page":"238","DOI":"10.13154\/tches.v2018.i1.238-268","article-title":"CRYSTALS-Dilithium: A Lattice-Based Digital Signature\n  Scheme","volume":"2018","author":"L\u00e9o Ducas","year":"2018","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems"},{"key":"ref4:chari1999towards","doi-asserted-by":"publisher","first-page":"398","DOI":"10.1007\/3-540-48405-1_26","article-title":"Towards sound approaches to counteract power-analysis\n  attacks","author":"Suresh Chari","year":"1999"},{"key":"ref5:chen2021efficient","doi-asserted-by":"publisher","first-page":"583","DOI":"10.1109\/ICCD53106.2021.00094","article-title":"An Efficient Non-Profiled Side-Channel Attack on the\n  CRYSTALS-Dilithium Post-Quantum Signature","author":"Zhaohui Chen","year":"2021"},{"key":"ref6:mujdei2024side","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3569420","article-title":"Side-channel analysis of lattice-based post-quantum\n  cryptography: Exploiting polynomial multiplication","volume":"23","author":"Catinca Mujdei","year":"2024","journal-title":"ACM Transactions on Embedded Computing Systems"},{"key":"ref7:tosun2023zero","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2024.3359890","article-title":"Zero-Value Filtering for Accelerating Non-Profiled\n  Side-Channel Attack on Incomplete NTT based Implementations of Lattice-based\n  Cryptography","author":"Tolun Tosun","year":"2024","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"ref8:tosun2024exploiting","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2024.3494593","article-title":"Exploiting the Central Reduction in Lattice-Based\n  Cryptography","author":"Tolun Tosun","year":"2024","journal-title":"IEEE Access"},{"key":"ref9:steffen2023breaking","doi-asserted-by":"publisher","first-page":"688","DOI":"10.1007\/978-3-031-40003-2_25","article-title":"Breaking and protecting the crystal: Side-channel analysis\n  of Dilithium in hardware","author":"Hauke Steffen","year":"2023"},{"key":"ref10:rodriguez2023correlation","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1109\/PRIME58259.2023.10161764","article-title":"Correlation electromagnetic analysis on an FPGA\n  implementation of CRYSTALS-Kyber","author":"Rafael Carrera Rodriguez","year":"2023"},{"key":"ref11:qiao2023ntt","article-title":"When NTT meets SIS: Efficient side-channel attacks on\n  Dilithium and kyber","author":"Zehua Qiao","year":"2023","journal-title":"Cryptology ePrint Archive"},{"key":"ref12:kuo2023lattice","doi-asserted-by":"publisher","first-page":"202","DOI":"10.1007\/978-981-97-1235-9_11","article-title":"A lattice attack on crystals-Kyber with correlation power\n  analysis","author":"Yen-Ting Kuo","year":"2023"},{"key":"ref13:brier2004correlation","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1007\/978-3-540-28632-5_2","article-title":"Correlation power analysis with a leakage model","author":"Eric Brier","year":"2004"},{"key":"ref14:prouff2009statistical","doi-asserted-by":"publisher","first-page":"799","DOI":"10.1109\/TC.2009.15","article-title":"Statistical analysis of second order differential power\n  analysis","volume":"58","author":"Emmanuel Prouff","year":"2009","journal-title":"IEEE Transactions on computers"},{"key":"ref15:levi2019reducing","doi-asserted-by":"publisher","first-page":"293","DOI":"10.13154\/tches.v2019.i2.293-317","article-title":"Reducing a Masked Implementation\u2019s Effective Security\n  Order with Setup Manipulations: And an Explanation Based on\n  Externally-Amplified Couplings","volume":"2019","author":"Itamar Levi","year":"2019","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems"},{"key":"ref16:gao2020share","doi-asserted-by":"publisher","first-page":"152","DOI":"10.13154\/tches.v2020.i1.152-174","article-title":"Share-slicing: Friend or Foe?","volume":"2020","author":"Si Gao","year":"2019","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems"},{"key":"ref17:gierlichs2008mutual","doi-asserted-by":"publisher","first-page":"426","DOI":"10.1007\/978-3-540-85053-3_27","article-title":"Mutual information analysis: A generic side-channel\n  distinguisher","author":"Benedikt Gierlichs","year":"2008"},{"key":"ref18:yan2023not","doi-asserted-by":"publisher","first-page":"240","DOI":"10.1007\/978-981-97-1235-9_13","article-title":"Not optimal but efficient: a distinguisher based on the\n  Kruskal-Wallis test","author":"Yan Yan","year":"2023"},{"key":"ref19:heuser2014good","doi-asserted-by":"publisher","first-page":"55","DOI":"10.1007\/978-3-662-44709-3_4","article-title":"Good is not good enough: Deriving optimal distinguishers\n  from communication theory","author":"Annelie Heuser","year":"2014"},{"key":"ref20:primas2017single","doi-asserted-by":"publisher","first-page":"513","DOI":"10.1007\/978-3-319-66787-4_25","article-title":"Single-trace side-channel attacks on masked lattice-based\n  encryption","author":"Robert Primas","year":"2017"},{"key":"ref21:bronchain2023exploiting","doi-asserted-by":"publisher","first-page":"359","DOI":"10.46586\/tches.v2024.i2.359-383","article-title":"Exploiting Small-Norm Polynomial Multiplication with\n  Physical Attacks: Application to CRYSTALS-Dilithium","volume":"2024","author":"Olivier Bronchain","year":"2024","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems"},{"key":"ref22:dubrova2023breaking","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1145\/3591866.3593072","article-title":"Breaking a fifth-order masked implementation of\n  crystals-kyber by copy-paste","author":"Elena Dubrova","year":"2023"},{"key":"ref23:backlund2023secret","doi-asserted-by":"publisher","first-page":"159","DOI":"10.1007\/978-3-031-41181-6_9","article-title":"Secret key recovery attack on masked and shuffled\n  implementations of CRYSTALS-Kyber and Saber","author":"Linus Backlund","year":"2023"},{"key":"ref24:wang2024side","doi-asserted-by":"publisher","first-page":"301","DOI":"10.1007\/978-3-031-54776-8_12","article-title":"A Side-Channel Attack on a Higher-Order Masked\n  CRYSTALS-Kyber Implementation","author":"Ruize Wang","year":"2024"},{"key":"ref25:xu2021magnifying","doi-asserted-by":"publisher","first-page":"2163","DOI":"10.1109\/TC.2021.3122997","article-title":"Magnifying side-channel leakage of lattice-based\n  cryptosystems with chosen ciphertexts: The case study of kyber","volume":"71","author":"Zhuang Xu","year":"2021","journal-title":"IEEE Transactions on Computers"},{"key":"ref26:karabulut2021single","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1109\/HOST49136.2021.9702284","article-title":"Single-trace side-channel attacks on $\\omega$-small\n  polynomial sampling: With applications to ntru, NTRU prime, and\n  CRYSTALS-DILITHIUM","author":"Emre Karabulut","year":"2021"},{"key":"ref27:marzougui2022profiling","isbn-type":"print","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-58411-4_1","article-title":"Profiling Side-Channel Attacks on\u00a0Dilithium","author":"Vincent Quentin Ulitzsch","year":"2024","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031584114"},{"key":"ref28:regev2009lattices","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1568318.1568324","article-title":"On lattices, learning with errors, random linear codes, and\n  cryptography","volume":"56","author":"Oded Regev","year":"2009","journal-title":"Journal of the ACM (JACM)"},{"key":"ref29:kannwischer2019pqm4","volume-title":"pqm4: Testing and Benchmarking NIST PQC on ARM Cortex-M4","author":"Matthias J Kannwischer","year":"2019"},{"key":"ref30:abdulrahman2022faster","doi-asserted-by":"publisher","first-page":"853","DOI":"10.1007\/978-3-031-09234-3_42","article-title":"Faster kyber and dilithium on the cortex-m4","author":"Amin Abdulrahman","year":"2022"},{"key":"ref31:heinz2022first","article-title":"First-order masked Kyber on ARM Cortex-M4","author":"Daniel Heinz","year":"2022","journal-title":"Cryptology ePrint Archive"},{"key":"ref32:coron2024improved","doi-asserted-by":"publisher","first-page":"335","DOI":"10.46586\/tches.v2024.i4.335-354","article-title":"Improved High-Order Masked Generation of Masking Vector and\n  Rejection Sampling in Dilithium","volume":"2024","author":"Jean-S\u00e9bastien Coron","year":"2024","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems"},{"key":"ref33:bronchain2022bitslicing","doi-asserted-by":"publisher","first-page":"553","DOI":"10.46586\/tches.v2022.i4.553-588","article-title":"Bitslicing arithmetic\/Boolean masking conversions for fun\n  and profit: with application to lattice-based KEMs","author":"Olivier Bronchain","year":"2022","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2025,10,6]],"date-time":"2025-10-06T20:23:24Z","timestamp":1759782204000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/3\/31"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,6]]},"references-count":33,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2025,10,6]]}},"URL":"https:\/\/doi.org\/10.62056\/a0txl8n4e","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,6]]},"assertion":[{"value":"2025-07-08","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-09-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-3-64"}}