Abstract:

Cryptographic implementations have historically remained vulnerable long after their theoretical foundations were well understood. NIST's first general-purpose post-quantum standards were finalized in 2024 and are already being deployed widely, yet our understanding of their implementation security in real-world attack scenarios is still fairly limited.

In this talk, I present an information-theoretic approach to quantifying and exploiting side information in recent lattice-based post-quantum schemes. A central insight is that noise conditions are critical: they determine whether an attack is practical and whether countermeasures provide meaningful protection. I illustrate this on the example of recent attacks on masked implementations of ML-KEM and ML-DSA---two schemes standardized and primarily recommended by NIST---showing that countermeasures can fail to provide their intended guarantees and that the security under side information may be substantially overestimated.

I then present a general framework for secret key recovery under (noisy) side information in lattice-based schemes, combining belief propagation with algebraic techniques such as lattice reduction. Our approach handles increased noise levels naturally and substantially improves upon prior work in both artificial settings and in practical attacks.

I close by outlining open problems in securing post-quantum schemes in real-world deployments, and by describing my research agenda for building the scientific foundations of post-quantum security in real-world applications.