Testing ML-KEM Implementations for Side-Channel Vulnerability: The Airtight Framework

Abstract

As quantum computing advances toward operational capability, traditional public-key communication schemes are becoming obsolete. Algorithms like Rivest-Shamir-Adleman and Elliptic Curve Cryptography cryptosystems, foundational to current secure communications, are vulnerable to Shor’s algorithm, which can efficiently factor and compute discrete logarithms once large-scale quantum systems emerge. In anticipation of this threat, the National Institute of Standards and Technology (NIST) has standardized the Module-Lattice Key Encapsulation Mechanism (ML-KEM), derived from the Crystals KYBER family, as a post-quantum cryptographic (PQC) solution designed to secure communications against both classical and quantum attackers. However, while ML-KEM’s lattice-based cryptographic system provides provable resistance to cryptanalytic attacks, its real-world implementations are susceptible to side-channel attacks (SCA). These attacks, which exploit timing variations, power consumption, or electromagnetic emissions, bypass the algorithm’s theoretical security by extracting secret keys from physical leakage. Even as cryptographic design moves beyond quantum threats, physical-layer vulnerabilities reintroduce risk at the hardware level. These physical-layer security vulnerabilities are a looming threat to future PQC security. Given the dangers posed by correlation power analysis, cryptographic programs must be implemented to mitigate these vulnerabilities, or else the increased security provided by PQC methods will be in vain. In this paper, we assert that the secure adoption of PQC in defense communication systems demands accelerated implementation of ML-KEM within secure communication protocols to ensure post-quantum readiness and rigorous evaluation of its side-channel resilience through experimental validation and countermeasure integration. We survey recent research into ML-KEM side-channel resistance, identify existing countermeasure frameworks (masking, constant-time operations, noise injection), and propose Airtight: a framework for standardized testing of secure communication methods.