Researchers Demonstrate High‑Success Simple Power Analysis Attack on HQC

Global: Simple Power Analysis Attack on HQC Demonstrated with High Success Rate

On Jan 12 2026, researchers Pavel Velek, Tomáš Rabas, and Jiří Buček published a preprint on arXiv describing a side‑channel attack against the Hamming Quasi‑Cyclic (HQC) cryptosystem, a candidate in NIST’s fourth round of post‑quantum cryptography standardization. The attack, a single‑trace Simple Power Analysis (SPA), targets power‑consumption leakage during the polynomial multiplication phase of HQC decryption.

Experimental Setup and Method

Using a ChipWhisperer‑Lite evaluation board, the authors captured power traces during decryption, processed the data to isolate the multiplication step, and correlated the leakage with secret polynomial coefficients. The methodology relies on a single trace, distinguishing it from more complex multi‑trace attacks.

Attack Success Rate

The experiment comprised 10 000 attack attempts, achieving a 99.69 % success rate, which demonstrates that the leakage is reliably exploitable under the tested conditions.

Proposed Countermeasures

To mitigate the vulnerability, the paper proposes randomizing the order of polynomial multiplication, inserting dummy operations, and adopting constant‑time implementations. Each countermeasure is evaluated for computational overhead, highlighting trade‑offs between security and performance.

Implications for NIST Standardization

The findings arrive as NIST continues to assess HQC alongside other lattice‑based schemes. Adoption of HQC in future standards could expose a broad range of deployments to the identified side‑channel risk, making the results particularly relevant for hardware manufacturers and security auditors.

Broader Significance for Post‑Quantum Security

The work underscores that post‑quantum algorithms are not immune to relatively simple power‑analysis techniques, emphasizing the need for side‑channel‑resistant design practices early in the standardization process.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.