Publication: Verifiable Decapsulation: Recognizing Faulty Implementations of Post-quantum KEMs
Verifiable Decapsulation: Recognizing Faulty Implementations of Post-quantum KEMs
| cris.lastimport.scopus | 2026-03-04T05:18:39Z | |
| cris.lastimport.wos | 2026-01-25T03:50:54Z | |
| cris.virtual.parent-organization | IINFCOM | |
| cris.virtual.parent-organization | IC | |
| cris.virtual.parent-organization | EPFL | |
| cris.virtual.sciperId | 386771 | |
| cris.virtual.unitId | 10433 | |
| cris.virtual.unitManager | Vaudenay, Serge | |
| cris.virtualsource.author-scopus | c22a6725-2069-4545-97fc-3b406e92bd4a | |
| cris.virtualsource.department | c22a6725-2069-4545-97fc-3b406e92bd4a | |
| cris.virtualsource.orcid | c22a6725-2069-4545-97fc-3b406e92bd4a | |
| cris.virtualsource.parent-organization | d7a6896a-217a-418f-b31e-b419a884b9e8 | |
| cris.virtualsource.parent-organization | d7a6896a-217a-418f-b31e-b419a884b9e8 | |
| cris.virtualsource.parent-organization | d7a6896a-217a-418f-b31e-b419a884b9e8 | |
| cris.virtualsource.parent-organization | d7a6896a-217a-418f-b31e-b419a884b9e8 | |
| cris.virtualsource.rid | c22a6725-2069-4545-97fc-3b406e92bd4a | |
| cris.virtualsource.sciperId | c22a6725-2069-4545-97fc-3b406e92bd4a | |
| cris.virtualsource.unitId | d7a6896a-217a-418f-b31e-b419a884b9e8 | |
| cris.virtualsource.unitManager | d7a6896a-217a-418f-b31e-b419a884b9e8 | |
| datacite.rights | openaccess | |
| dc.contributor.author | Glabush, Lewis Alexander | |
| dc.contributor.author | Günther, Felix | |
| dc.contributor.author | Hövelmanns, Kathrin | |
| dc.contributor.author | Stebila, Douglas | |
| dc.contributor.scientificeditor | Tauman Kalai, Yael | |
| dc.contributor.scientificeditor | Kamara, Seny F. | |
| dc.date.accessioned | 2025-09-05T13:51:16Z | |
| dc.date.available | 2025-09-05T13:51:16Z | |
| dc.date.created | 2025-09-05 | |
| dc.date.issued | 2025 | |
| dc.date.modified | 2025-09-05T13:51:19.748068Z | |
| dc.description.abstract | Cryptographic schemes often contain verification steps that are essential for security. Yet, faulty implementations missing these steps can easily go unnoticed, as the schemes might still function correctly. A prominent instance of such a verification step is the reencryption check in the Fujisaki-Okamoto (FO) transform that plays a prominent role in the post-quantum key encapsulation mechanisms (KEMs) considered in NIST's PQC standardization process. In KEMs built from FO, decapsulation performs a re-encryption check that is essential for security, but not for functionality. In other words, it will go unnoticed if this essential step is omitted or wrongly implemented, opening the door for key recovery attacks. Notably, such an implementation flaw was present in HQC's reference implementation and was only noticed after 19 months. In this work, we develop a modified FO transform that binds re-encryption to functionality, ensuring that a faulty implementation which skips re-encryption will be exposed through basic correctness tests. We do so by adapting the "verifiable verification" methodology of Fischlin and Günther (CCS 2023) to the context of FO-based KEMs. More concretely, by exporting an unpredictable confirmation code from the public key encryption and embedding it into the key derivation function, we can confirm that (most of) the re-encryption step was indeed performed during decapsulation. We formalize this concept, establish modified FO transforms, and prove how unpredictable PKE confirmation codes turn into noticeable correctness errors for faulty implementations. We show how to apply this technique to ML-KEM and HQC, both with negligible overhead, by leveraging the entropy lost through ciphertext compression or truncation. We confirm that our approach works through mathematical proofs, as well as experimental data. Our experiments show that the implementation flaw in HQC's reference implementation indeed makes basic test cases fail when following our approach. | |
| dc.description.sponsorship | LASEC | |
| dc.identifier.doi | 10.1007/978-3-032-01881-6_17 | |
| dc.identifier.scopus | 2-s2.0-105014161507 | |
| dc.identifier.uri | ||
| dc.language.iso | en | |
| dc.publisher | Springer Science and Business Media Deutschland GmbH | |
| dc.relation.conference | 45th Annual International Cryptology Conference | |
| dc.relation.grantno | VI.Veni.222.397 | |
| dc.relation.grantno | ALLRP 578463-22,RGPIN-2022-03187 | |
| dc.relation.ispartof | Advances in Cryptology – CRYPTO 2025 - 45th Annual International Cryptology Conference, Proceedings | |
| dc.relation.ispartofseries | Lecture Notes in Computer Science; 16002 | |
| dc.relation.serieissn | 1611-3349 | |
| dc.relation.serieissn | 0302-9743 | |
| dc.rights | false | |
| dc.subject | Key encapsulation mechanism | |
| dc.subject | public-key encryption | |
| dc.subject | Fujisaki-Okamoto transformation | |
| dc.subject | NIST | |
| dc.subject | ML-KEM | |
| dc.subject | HQC | |
| dc.subject | post-quantum security | |
| dc.subject | QROM | |
| dc.title | Verifiable Decapsulation: Recognizing Faulty Implementations of Post-quantum KEMs | |
| dc.type | text::conference output::conference proceedings::conference paper | |
| dspace.entity.type | Publication | |
| dspace.file.type | main document | |
| epfl.peerreviewed | REVIEWED | |
| epfl.relation.conferenceType | conference | |
| epfl.workflow.startDateTime | 2025-09-05T11:44:08.448Z | |
| epfl.writtenAt | EPFL | |
| local.scopus.sourceType | cp | |
| oaire.citation.conferenceDate | 2025-08-17 - 2025-08-21 | |
| oaire.citation.conferencePlace | Santa Barbara, California, USA | |
| oaire.citation.endPage | 574 | |
| oaire.citation.startPage | 543 | |
| oaire.licenseCondition | CC BY | |
| oaire.version | ||
| oairecerif.acronym | CRYPTO 2025 | |
| oairecerif.author.affiliation | IBM Research - Zurich | |
| oairecerif.author.affiliation | Technische Universiteit Eindhoven | |
| oairecerif.author.affiliation | University of Waterloo | |
| oairecerif.funder | NWO | |
| oairecerif.funder | Natural Sciences and Engineering Research Council of Canada | |
| person.identifier.orcid | 0009-0008-7165-6150 | |
| person.identifier.orcid | 0000-0002-8495-6610 | |
| person.identifier.orcid | 0000-0002-5478-0140 | |
| person.identifier.orcid | 0000-0001-9443-3170 | |
| person.identifier.scopus-author-id | 60068771400 | |
| person.identifier.scopus-author-id | 50261528900 | |
| person.identifier.scopus-author-id | 57197733656 | |
| person.identifier.scopus-author-id | 6507135977 |