Masked ML-KEM implementation for Pavona's ACC
47 views
Skip to first unread message
k...@zerorisc.com
Jun 4, 2026, 1:27:24 PMJun 4
to Pavona, Hoang Nguyen Hien Pham
Hello all!
As part of our efforts to extend Pavona’s post-quantum stack with side-channel hardened implementations, we at ZeroRISC just shared our masked ML-KEM implementation as a pull request to Pavona to share for initial review.
This implementation was designed and written by Hoang Nguyen Hien Pham using recent masking research to efficiently support arbitrary masking order. For first-order masking, it allows direct use with the masked KMAC hardware already present in Pavona.
A full explanation of the effort, including an overview of what masking is, why side-channel hardening is important, and how this implementation is designed is available in Hien’s blog post here on our website:
https://www.zerorisc.com/blog/hardened-pqc-on-pavona-masking-ml-kem
The draft PR we’ve shared to Pavona includes:
In particular, we’d like to:
Thank you so much! Please reach out if you have any questions.
Sincerely,
Kat Fox
ZeroRISC
As part of our efforts to extend Pavona’s post-quantum stack with side-channel hardened implementations, we at ZeroRISC just shared our masked ML-KEM implementation as a pull request to Pavona to share for initial review.
This implementation was designed and written by Hoang Nguyen Hien Pham using recent masking research to efficiently support arbitrary masking order. For first-order masking, it allows direct use with the masked KMAC hardware already present in Pavona.
A full explanation of the effort, including an overview of what masking is, why side-channel hardening is important, and how this implementation is designed is available in Hien’s blog post here on our website:
https://www.zerorisc.com/blog/hardened-pqc-on-pavona-masking-ml-kem
The draft PR we’ve shared to Pavona includes:
- Functional implementations of various masking gadgets evaluated as part of the masking effort (bitsliced and non-bitsliced)
- A fully-masked ML-KEM decapsulation implementation
- A fully-masked ML-KEM keypair generation implementation
In particular, we’d like to:
- Remove the evaluated masking gadgets (see the blog post above for what these are) not used in this branch, retaining them in an archived branch for academic review
- Coalesce the remaining gadgets into a single file
- Documentation each remaining gadget
- Update the clobbered register lists for each function changed
- Evaluate and possibly tweak our register whitening approach (see the blog post for an explanation of this as well) throughout the implementation based on side-channel testing
- Size down stacks for each ACC program to what is actually needed
- Lightly clean up the test code added as part of this PR
We would like to invite feedback from the community while we work on incorporating these changes, and expect the implementation to be ready for full review in the coming weeks.
Sincerely,
Kat Fox
ZeroRISC
k...@zerorisc.com
Jun 4, 2026, 1:33:33 PMJun 4
to Pavona, k...@zerorisc.com, Hoang Nguyen Hien Pham
Hello all,
I somehow missed including the link to the PR itself! Here it is below for review:
Thanks!
Sincerely,
Kat Fox
ZeroRISC
Reply all
Reply to author
Forward
0 new messages