
ACKNOWLEDGMENTS
This work was partially funded by the grant 2022154
from the Appel
`
a projets 2022 th
`
eses AID Cifre-
D
´
efense by the Agence de l’Innovation de D
´
efense
(AID), Minist
`
ere des Arm
´
ees (French Ministry of De-
fense). We wish to thank Beno
ˆ
ıt Cogliati for helpful
discussions.
REFERENCES
(2016). Announcing request for nominations for
public-key post-quantum cryptographic al-
gorithms. https://csrc.nist.gov/News/2016/
Public-Key-Post-Quantum-Cryptographic-Algorithms.
(2022). Pqc standardization process: Announcing
four candidates to be standardized, plus fourth
round candidates. https://csrc.nist.gov/News/2022/
pqc-candidates-to-be-standardized-and-round-4.
(2023). The ibm quantum development roadmap. https:
//www.ibm.com/quantum/roadmap.
(2024). Announcing approval of three federal in-
formation processing standards (fips) for post-
quantum cryptography. https://csrc.nist.gov/News/
2024/postquantum-cryptography-fips-approved.
(2024). masked bike code. https://github.com/loicdemange/
masked BIKE code.
(2025). Nist selects hqc as fifth algorithm
for post-quantum encryption. https:
//www.nist.gov/news-events/news/2025/03/
nist-selects-hqc-fifth-algorithm-post-quantum-encryption.
Alagic, G., Apon, D., Cooper, D., Dang, Q., Dang, T.,
Kelsey, J., Lichtinger, J., Miller, C., Moody, D., Per-
alta, R., et al. (2022). Status report on the third round
of the nist post-quantum cryptography standardization
process. US Department of Commerce, NIST.
Balasch, J., Gierlichs, B., Grosso, V., Reparaz, O., and Stan-
daert, F.-X. (2015). On the cost of lazy engineering
for masked software implementations. In Joye, M.
and Moradi, A., editors, Smart Card Research and
Advanced Applications, pages 64–81, Cham. Springer
International Publishing.
Barrett, P. (1987). Implementing the rivest shamir and adle-
man public key encryption algorithm on a standard
digital signal processor. In Odlyzko, A. M., editor,
Advances in Cryptology — CRYPTO’ 86, pages 311–
323, Berlin, Heidelberg. Springer Berlin Heidelberg.
Barthe, G., Bela
¨
ıd, S., Dupressoir, F., Fouque, P.-A.,
Gr
´
egoire, B., Strub, P.-Y., and Zucchini, R. (2016).
Strong non-interference and type-directed higher-
order masking. In Proceedings of the 2016 ACM
SIGSAC Conference on Computer and Communica-
tions Security, CCS ’16, page 116–129, New York,
NY, USA. Association for Computing Machinery.
Ba
¨
ısse, C., Moran, A., Goy, G., Maillard, J., Aragon, N.,
Gaborit, P., Lecomte, M., and Loiseau, A. (2024).
Secret and shared keys recovery on hamming quasi-
cyclic with sasca. Cryptology ePrint Archive, Paper
2024/440. https://eprint.iacr.org/2024/440.
Becker, G. T., Cooper, J., DeMulder, E. K., Goodwill, G.,
Jaffe, J., Kenworthy, G., Kouzminov, T., Leiserson,
A. J., Marson, M. E., Rohatgi, P., and Saab, S. (2013).
Test vector leakage assessment ( tvla ) methodology
in practice.
Chari, S., Jutla, C. S., Rao, J. R., and Rohatgi, P. (1999). To-
wards sound approaches to counteract power-analysis
attacks. In Advances in Cryptology—CRYPTO’99:
19th Annual International Cryptology Conference
Santa Barbara, California, USA, August 15–19, 1999
Proceedings 19, pages 398–412. Springer.
Coron, J.-S. (2013). Higher order masking of look-up ta-
bles. Cryptology ePrint Archive, Paper 2013/700.
https://eprint.iacr.org/2013/700.
Coron, J.-S., Giraud, C., Prouff, E., Renner, S., Rivain,
M., and Vadnala, P. K. (2012). Conversion of secu-
rity proofs from one leakage model to another: A new
issue. In Schindler, W. and Huss, S. A., editors, Con-
structive Side-Channel Analysis and Secure Design,
pages 69–81, Berlin, Heidelberg. Springer Berlin Hei-
delberg.
Coron, J.-S., Großsch
¨
adl, J., and Vadnala, P. K. (2014).
Secure conversion between boolean and arithmetic
masking of any order. In International Workshop
on Cryptographic Hardware and Embedded Systems,
pages 188–205. Springer.
Demange, L. and Rossi, M. (2024). A provably masked im-
plementation of bike key encapsulation mechanism.
Cryptology ePrint Archive.
Gigerl, B., Hadzic, V., Primas, R., Mangard, S., and Bloem,
R. (2021). Coco: Co-Design and Co-Verification of
masked software implementations on CPUs. In 30th
USENIX Security Symposium (USENIX Security 21),
pages 1469–1468. USENIX Association.
Goubin, L. and Patarin, J. (1999). Des and differential
power analysis the “duplication” method. In Crypto-
graphic Hardware and Embedded Systems: First In-
ternationalWorkshop, CHES’99 Worcester, MA, USA,
August 12–13, 1999 Proceedings 1, pages 158–172.
Springer.
Goy, G., Loiseau, A., and Gaborit, P. (2022). A new key re-
covery side-channel attack on hqc with chosen cipher-
text. In International Conference on Post-Quantum
Cryptography, pages 353–371. Springer.
Goy, G., Maillard, J., Gaborit, P., and Loiseau, A. (2024).
Single trace hqc shared key recovery with sasca. IACR
Transactions on Cryptographic Hardware and Em-
bedded Systems, 2024(2):64–87.
Guo, Q., Hlauschek, C., Johansson, T., Lahr, N., Nilsson,
A., and Schr
¨
oder, R. L. (2022). Don’t reject this: Key-
recovery timing attacks due to rejection-sampling in
hqc and bike. IACR Transactions on Cryptographic
Hardware and Embedded Systems, pages 223–263.
Kannwischer, M. J., Petri, R., Rijneveld, J., Schwabe, P.,
and Stoffelen, K. PQM4: Post-quantum crypto library
for the ARM Cortex-M4. https://github.com/mupq/
pqm4.
SECRYPT 2025 - 22nd International Conference on Security and Cryptography
756