{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:15:51Z","timestamp":1778040951126,"version":"3.51.4"},"reference-count":39,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2026,1,30]],"date-time":"2026-01-30T00:00:00Z","timestamp":1769731200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2026,4,22]]},"abstract":"<jats:p>The Fujisaki-Okamoto transform is a popular solution to design post-quantum public key encryption schemes, or key encapsulation mechanisms. In order to ensure security against chosen-ciphertext attacks, it checks the validity of ciphertexts by re-encrypting decrypted messages. This operation in turn leads to severe side-channel weaknesses, because the re-encrypted messages can be made key-dependent. Hence, distinguishing them thanks to leakage is sufficient to extract (long-term) secret key information. As a result, recent works suggested to ensure the validity of ciphertexts by other means than re-encryption. For now, the main candidate for this purpose, integrated in the Polka encryption scheme (PKC 2023) and analyzed more generically by H\u00f6velmanns et al. (EUROCRYPT 2025), is to use continuous norm checks through the decryption process. In this paper, we evaluate the extent to which replacing the FO-transform by such norm checks helps resistance against leakage. Negatively, we exhibit new attack vectors that were not anticipated in previous (heuristic) analyzes. Positively, we observe that the removal of the FO-transform nevertheless reduces the attack surface and we identify possible tracks to further minimize it. Overall, our results therefore shed light on the challenge of designing post-quantum public-key encryption schemes, or key encapsulation mechanisms, that can be efficiently protected against side-channel attacks. We hope they can inform theory about leakage sources that could be better taken over by design, to develop new schemes allowing a scarcer use of implementation-level countermeasures.<\/jats:p>","DOI":"10.62056\/a36c0l2hd","type":"journal-article","created":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T18:09:08Z","timestamp":1777918148000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["In Mid-Stream: Removing the FO-Transform Helps against Leakage but is not Enough"],"prefix":"10.62056","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-2629-1151","authenticated-orcid":false,"given":"Duy\u00ean","family":"Pay","sequence":"first","affiliation":[{"name":"UCLouvain, ICTEAM Institute, Crypto Group","place":["Louvain-la-Neuve, Belgium"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9042-7531","authenticated-orcid":false,"given":"Thomas","family":"Peters","sequence":"additional","affiliation":[{"name":"UCLouvain, ICTEAM Institute, Crypto Group","place":["Louvain-la-Neuve, Belgium"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7444-0285","authenticated-orcid":false,"given":"Fran\u00e7ois-Xavier","family":"Standaert","sequence":"additional","affiliation":[{"name":"UCLouvain, ICTEAM Institute, Crypto Group","place":["Louvain-la-Neuve, Belgium"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2026,5,4]]},"reference":[{"key":"ref1:Kyber","volume-title":"CRYSTALS-Kyber Algorithm Specifications and Supporting\n  Documentation","author":"Roberto Avanzi","year":"2021"},{"key":"ref2:DBLP:journals\/iet-ifs\/MangardOS11","doi-asserted-by":"publisher","first-page":"100","DOI":"10.1049\/IET-IFS.2010.0096","article-title":"One for all - all for one: unifying standard differential\n  power analysis attacks","volume":"5","author":"Stefan Mangard","year":"2011","journal-title":"IET Inf. Secur."},{"key":"ref3:DBLP:conf\/ches\/PrimasPM17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"513","DOI":"10.1007\/978-3-319-66787-4_25","article-title":"Single-Trace Side-Channel Attacks on Masked Lattice-Based\n  Encryption","author":"Robert Primas","year":"2017"},{"key":"ref4:DBLP:conf\/latincrypt\/PesslP19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"130","DOI":"10.1007\/978-3-030-30530-7_7","article-title":"More Practical Single-Trace Attacks on the Number Theoretic\n  Transform","author":"Peter Pessl","year":"2019"},{"key":"ref5:DBLP:journals\/tches\/HamburgHPSSSSV21","doi-asserted-by":"publisher","first-page":"88","DOI":"10.46586\/TCHES.V2021.I4.88-113","article-title":"Chosen Ciphertext k-Trace Attacks on Masked CCA2 Secure\n  Kyber","volume":"2021","author":"Mike Hamburg","year":"2021","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref6:ICSP21","series-title":"Communications in Computer and Information Science","doi-asserted-by":"publisher","first-page":"30","DOI":"10.1007\/978-3-030-90553-8_3","article-title":"Side-Channel Analysis of CRYSTALS-Kyber and A Novel\n  Low-Cost Countermeasure","volume":"1497","author":"Meziane Hamoudi","year":"2021"},{"key":"ref7:DBLP:conf\/icisc\/KuoT23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"202","DOI":"10.1007\/978-981-97-1235-9_11","article-title":"A Lattice Attack on CRYSTALS-Kyber with Correlation Power\n  Analysis","author":"Yen-Ting Kuo","year":"2023"},{"key":"ref8:DBLP:journals\/tcad\/WangXT25","doi-asserted-by":"publisher","first-page":"3643","DOI":"10.1109\/TCAD.2025.3550443","article-title":"An Improved Two-Step Attack on Lattice-Based Cryptography:\n  A Case Study of Kyber","volume":"44","author":"Kai Wang","year":"2025","journal-title":"IEEE Trans. Comput. Aided Des. Integr. Circuits Syst."},{"key":"ref9:DBLP:journals\/tches\/RaviRCB20","doi-asserted-by":"publisher","first-page":"307","DOI":"10.13154\/TCHES.V2020.I3.307-335","article-title":"Generic Side-channel attacks on CCA-secure lattice-based\n  PKE and KEMs","volume":"2020","author":"Prasanna Ravi","year":"2020","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref10:DBLP:journals\/tches\/UenoXTITH22","doi-asserted-by":"publisher","first-page":"296","DOI":"10.46586\/TCHES.V2022.I1.296-322","article-title":"Curse of Re-encryption: A Generic Power\/EM Analysis on\n  Post-Quantum KEMs","volume":"2022","author":"Rei Ueno","year":"2022","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref11:DBLP:journals\/tc\/XuPROYZ22","doi-asserted-by":"publisher","first-page":"2163","DOI":"10.1109\/TC.2021.3122997","article-title":"Magnifying Side-Channel Leakage of Lattice-Based\n  Cryptosystems With Chosen Ciphertexts: The Case Study of Kyber","volume":"71","author":"Zhuang Xu","year":"2022","journal-title":"IEEE Trans. Computers"},{"key":"ref12:DBLP:journals\/tches\/RajendranRDBC23","doi-asserted-by":"publisher","first-page":"418","DOI":"10.46586\/TCHES.V2023.I2.418-446","article-title":"Pushing the Limits of Generic Side-Channel Attacks on\n  LWE-based KEMs - Parallel PC Oracle Attacks on Kyber KEM and Beyond","volume":"2023","author":"Gokulnath Rajendran","year":"2023","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref13:FOcalypse","volume-title":"Surviving the FO-Calypse: Securing PQC Implementations in\n  Practice","author":"Melissa Azouaoui","year":"2022"},{"key":"ref14:DBLP:conf\/host\/AssaelER23","doi-asserted-by":"publisher","first-page":"111","DOI":"10.1109\/HOST55118.2023.10133270","article-title":"Improving Single-Trace Attacks on the Number-Theoretic\n  Transform for Cortex-M4","author":"Guilh\u00e8m Assael","year":"2023"},{"key":"ref15:DBLP:journals\/tches\/HermelinkSST23","doi-asserted-by":"publisher","first-page":"60","DOI":"10.46586\/TCHES.V2023.I1.60-88","article-title":"Adapting Belief Propagation to Counter Shuffling of NTTs","volume":"2023","author":"Julius Hermelink","year":"2023","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref16:DBLP:conf\/asiacrypt\/Veyrat-CharvillonGS14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"282","DOI":"10.1007\/978-3-662-45611-8_15","article-title":"Soft Analytical Side-Channel Attacks","author":"Nicolas Veyrat-Charvillon","year":"2014"},{"key":"ref17:DBLP:journals\/tches\/BosGRSV21","doi-asserted-by":"publisher","first-page":"173","DOI":"10.46586\/TCHES.V2021.I4.173-214","article-title":"Masking Kyber: First- and Higher-Order Implementations","volume":"2021","author":"Joppe W. Bos","year":"2021","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref18:DBLP:journals\/tches\/BronchainC22","doi-asserted-by":"publisher","first-page":"553","DOI":"10.46586\/TCHES.V2022.I4.553-588","article-title":"Bitslicing Arithmetic\/Boolean Masking Conversions for Fun\n  and Profit with Application to Lattice-Based KEMs","volume":"2022","author":"Olivier Bronchain","year":"2022","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref19:DBLP:journals\/tecs\/RaviCDB24","doi-asserted-by":"publisher","DOI":"10.1145\/3603170","article-title":"Side-channel and Fault-injection attacks over Lattice-based\n  Post-quantum Schemes (Kyber, Dilithium): Survey and New Results","volume":"23","author":"Prasanna Ravi","year":"2024","journal-title":"ACM Trans. Embed. Comput. Syst."},{"key":"ref20:DBLP:conf\/pkc\/HoffmannLMPS23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"114","DOI":"10.1007\/978-3-031-31368-4_5","article-title":"POLKA: Towards Leakage-Resistant Post-quantum CCA-Secure\n  Public Key Encryption","author":"Cl\u00e9ment Hoffmann","year":"2023"},{"key":"ref21:DBLP:journals\/tches\/DuvalMMS21","doi-asserted-by":"publisher","first-page":"373","DOI":"10.46586\/TCHES.V2021.I1.373-401","article-title":"Exploring Crypto-Physical Dark Matter and Learning with\n  Physical Rounding Towards Secure and Efficient Fresh Re-Keying","volume":"2021","author":"S\u00e9bastien Duval","year":"2021","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref22:DBLP:conf\/crypto\/HoffmannMMRSU23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"410","DOI":"10.1007\/978-3-031-38548-3_14","article-title":"Learning with Physical Rounding for Linear and Quadratic\n  Leakage Functions","author":"Cl\u00e9ment Hoffmann","year":"2023"},{"key":"ref23:DBLP:conf\/crypto\/BelliziaBCGGMPP20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"369","DOI":"10.1007\/978-3-030-56784-2_13","article-title":"Mode-Level vs. Implementation-Level Physical Security in\n  Symmetric Cryptography - A Practical Guide Through the Leakage-Resistance\n  Jungle","author":"Davide Bellizia","year":"2020"},{"key":"ref24:DBLP:conf\/eurocrypt\/HovelmannsHMS25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"245","DOI":"10.1007\/978-3-031-91124-8_9","article-title":"(Un)breakable Curses - Re-encryption in the Fujisaki-Okamoto\n  Transform","author":"Kathrin H\u00f6velmanns","year":"2025"},{"key":"ref25:NTRU","volume-title":"NTRU: Algorithm Specification and Supporting Documentation","author":"Cong Chen","year":"2020"},{"key":"ref26:DBLP:conf\/ctrsa\/MangardPG05","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"351","DOI":"10.1007\/978-3-540-30574-3_24","article-title":"Side-Channel Leakage of Masked CMOS Gates","author":"Stefan Mangard","year":"2005"},{"key":"ref27:DBLP:conf\/cosade\/CoronGPRRV12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1007\/978-3-642-29912-4_6","article-title":"Conversion of Security Proofs from One Leakage Model to\n  Another: A New Issue","author":"Jean-S\u00e9bastien Coron","year":"2012"},{"key":"ref28:DBLP:journals\/access\/TosunMS24","doi-asserted-by":"publisher","first-page":"166814","DOI":"10.1109\/ACCESS.2024.3494593","article-title":"Exploiting the Central Reduction in Lattice-Based\n  Cryptography","volume":"12","author":"Tolun Tosun","year":"2024","journal-title":"IEEE Access"},{"key":"ref29:DBLP:conf\/africacrypt\/PayS24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"260","DOI":"10.1007\/978-3-031-64381-1_12","article-title":"Side-Channel Analysis of Arithmetic Encodings for\n  Post-Quantum Cryptography: Cautionary Notes with Application to Kyber","author":"Duy\u00ean Pay","year":"2024"},{"key":"ref30:DBLP:conf\/sacrypt\/NagpalHPM25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"753","DOI":"10.1007\/978-3-032-10536-3_28","article-title":"Efficient SPA Countermeasures Using Redundant Number\n  Representation with Application to ML-KEM","author":"Rishub Nagpal","year":"2025"},{"key":"ref31:DBLP:books\/daglib\/0017272","isbn-type":"print","volume-title":"Power analysis attacks - revealing the secrets of smart\n  cards","author":"Stefan Mangard","year":"2007","ISBN":"https:\/\/id.crossref.org\/isbn\/9780387308579"},{"key":"ref32:DBLP:conf\/ctrsa\/Mangard04","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"222","DOI":"10.1007\/978-3-540-24660-2_18","article-title":"Hardware Countermeasures against DPA ? A Statistical\n  Analysis of Their Effectiveness","author":"Stefan Mangard","year":"2004"},{"key":"ref33:schoenauen2025polka","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"101","DOI":"10.1007\/978-3-032-01806-9_6","article-title":"Leveled Software Implementation of Polka and Comparison with\n  Uniformly Masked Kyber","author":"Thibaud Schoenauen","year":"2025"},{"key":"ref34:DBLP:conf\/ches\/ChariRR02","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1007\/3-540-36400-5_3","article-title":"Template Attacks","author":"Suresh Chari","year":"2002"},{"key":"ref35:DBLP:conf\/eurocrypt\/BaetuDHTV19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"747","DOI":"10.1007\/978-3-030-17656-3_26","article-title":"Misuse Attacks on Post-quantum Cryptosystems","author":"Ciprian Baetu","year":"2019"},{"key":"ref36:DBLP:conf\/ches\/CoronK09","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"156","DOI":"10.1007\/978-3-642-04138-9_12","article-title":"An Efficient Method for Random Delay Generation in Embedded\n  Software","author":"Jean-S\u00e9bastien Coron","year":"2009"},{"key":"ref37:DBLP:conf\/ches\/CoronK10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"95","DOI":"10.1007\/978-3-642-15031-9_7","article-title":"Analysis and Improvement of the Random Delay Countermeasure\n  of CHES 2009","author":"Jean-S\u00e9bastien Coron","year":"2010"},{"key":"ref38:DBLP:conf\/cardis\/DurvauxRSOV12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"123","DOI":"10.1007\/978-3-642-37288-9_9","article-title":"Efficient Removal of Random Delays from Embedded Software\n  Implementations Using Hidden Markov Models","author":"Fran\u00e7ois Durvaux","year":"2012"},{"key":"ref39:DBLP:conf\/cosade\/AzouaouiBHKSS22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"236","DOI":"10.1007\/978-3-030-99766-3_11","article-title":"Systematic Study of Decryption and Re-encryption Leakage:\n  The Case of Kyber","author":"Melissa Azouaoui","year":"2022"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:03:26Z","timestamp":1778040206000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/3\/1\/23"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,4]]},"references-count":39,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,5,4]]}},"URL":"https:\/\/doi.org\/10.62056\/a36c0l2hd","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,4]]},"assertion":[{"value":"2026-01-30","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-04-22","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc3-1-62"}}