



























Manuel Barbosa, University of Porto, INESC TEC, Max Planck Institute for Security and Privacy
Stanislaw Jarecki, University of California, Irvine
KEM-to-PAKE compilers have been recently proposed to leverage post-quantum KEM standardization efforts. These typically follow the Encrypted Key Exchange (EKE) paradigm, where the KEM public key is encrypted under a password. While KEM implementations generally aim to execute all secret-dependent computations in constant time, such guarantees do not always extend to computations that depend only on the public key, as public keys are generally assumed to be public. A notable example is ML-KEM, where public keys include a short seed from which a large matrix is expanded prior to algebraic computations. This expansion procedure relies on rejection sampling which is, typically, implemented as a variable-time algorithm. However, compilers that follow the EKE paradigm must treat the public key as secret, since knowledge of the public key hidden in a ciphertext enables an offline dictionary attack on the password; therefore, instantiating these compilers with off-the-shelf implementations of ML-KEM or encrypting the public key under a password using variable-time methods (e.g., cycle walking or rejection sampling, as proposed in related PAKE literature) can be problematic. In this paper we show two approaches which yield ML-KEM-based PAKEs resilient to timing attacks. First, we explore constant-time alternatives to ML-KEM rejection sampling, but as one might expect, such methods impose a performance penalty on ML-KEM. Our second approach introduces a new ML-KEM-to-PAKE compiler that mitigates this issue by design: our proposal transmits the seed in the clear, decoupling password-dependent computations from the seed expansion step. This means that off-the-shelf implementations of ML-KEM can be used. Our new protocol Tempo builds on an idea from CHIC (Asiacrypt'24), which considered splitting the KEM public key, and extends the NoIC protocol and proof (ePrint:2025/231) to show protocol simulation in the UC framework, assuming ML-KEM security under adversarially chosen seeds. We justify this assumption via a new hardness assumption, which we call Oracle-MLWE, and show that it is asymptotically equivalent to the MLWE problem in the Random Oracle Model.
BibTeX
@misc{cryptoeprint:2025/1399,
author = {Afonso Arriaga and Manuel Barbosa and Stanislaw Jarecki},
title = {Tempo: An {ML}-{KEM} to {PAKE} Compiler Resilient to Timing Attacks},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/1399},
year = {2025},
url = {https://eprint.iacr.org/2025/1399}
}
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。