Paper 2025/450

Verifiable Decapsulation: Recognizing Faulty Implementations of Post-Quantum KEMs

Lewis Glabush, École Polytechnique Fédérale de Lausanne
Felix Günther, IBM Research - Zurich
Kathrin Hövelmanns, Eindhoven University of Technology
Douglas Stebila, University of Waterloo
Abstract

Cryptographic schemes often contain verification steps that are essential for security. Yet, faulty implementations missing these steps can easily go unnoticed, as the schemes might still function correctly. A prominent instance of such a verification step is the re-encryption check in the Fujisaki-Okamoto (FO) transform that plays a prominent role in the post-quantum key encapsulation mechanisms (KEMs) considered in NIST's PQC standardization process. In KEMs built from FO, decapsulation performs a re-encryption check that is essential for security, but not for functionality. In other words, it will go unnoticed if this essential step is omitted or wrongly implemented, opening the door for key recovery attacks. Notably, such an implementation flaw was present in HQC's reference implementation and was only noticed after 19 months. In this work, we develop a modified FO transform that binds re-encryption to functionality, ensuring that a faulty implementation which skips re-encryption will be exposed through basic correctness tests. We do so by adapting the "verifiable verification" methodology of Fischlin and Günther (CCS 2023) to the context of FO-based KEMs. More concretely, by exporting an unpredictable confirmation code from the public key encryption and embedding it into the key derivation function, we can confirm that (most of) the re-encryption step was indeed performed during decapsulation. We formalize this concept, establish modified FO transforms, and prove how unpredictable PKE confirmation codes turn into noticeable correctness errors for faulty implementations. We show how to apply this technique to ML-KEM and HQC, both with negligible overhead, by leveraging the entropy lost through ciphertext compression or truncation. We confirm that our approach works through mathematical proofs, as well as experimental data. Our experiments show that the implementation flaw in HQC's reference implementation indeed makes basic test cases when following our approach.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
Key encapsulation mechanismpublic-key encryptionFujisaki-Okamoto transformationNISTML-KEMHQCpost-quantum
Contact author(s)
lewis glabush @ epfl ch
mail @ felixguenther info
kathrin @ hoevelmanns net
dstebila @ uwaterloo ca
History
2025-03-11: approved
2025-03-10: received
See all versions
Short URL
https://ia.cr/2025/450
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/450,
      author = {Lewis Glabush and Felix Günther and Kathrin Hövelmanns and Douglas Stebila},
      title = {Verifiable Decapsulation: Recognizing Faulty Implementations of Post-Quantum {KEMs}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/450},
      year = {2025},
      url = {https://eprint.iacr.org/2025/450}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.