Algorithmic Security is Insufficient: A Comprehensive Survey on Implementation Attacks Haunting Post-Quantum Security

TL;DR

This survey reviews emerging implementation attacks on post-quantum cryptography algorithms, highlighting vulnerabilities and countermeasures, and discusses implications for future security standards in various applications.

Contribution

It provides a comprehensive overview of implementation attacks on NIST PQC winners, emphasizing the need for enhanced security measures against side-channel attacks.

Findings

PQC algorithms are vulnerable to side-channel attacks.

Recent advancements include new attack techniques and countermeasures.

Implications for security standards and future research directions.

Abstract

This survey is on forward-looking, emerging security concerns in post-quantum era, i.e., the implementation attacks for 2022 winners of NIST post-quantum cryptography (PQC) competition and thus the visions, insights, and discussions can be used as a step forward towards scrutinizing the new standards for applications ranging from Metaverse, Web 3.0 to deeply-embedded systems. The rapid advances in quantum computing have brought immense opportunities for scientific discovery and technological progress; however, it poses a major risk to today's security since advanced quantum computers are believed to break all traditional public-key cryptographic algorithms. This has led to active research on PQC algorithms that are believed to be secure against classical and powerful quantum computers. However, algorithmic security is unfortunately insufficient, and many cryptographic algorithms are vulnerable to side-channel attacks (SCA), where an attacker passively or actively gets side-channel data to compromise the security properties that are assumed to be safe theoretically. In this survey, we explore such imminent threats and their countermeasures with respect to PQC. We provide the respective, latest advancements in PQC research, as well as assessments and providing visions on the different types of SCAs.