Ledger warned that post-quantum cryptography—designed to resist attacks from quantum computers—may be vulnerable in practice if the hardware is not protected, an alert that was spread on April 29, 2026 after demonstrating that it is possible to extract private keys without breaking the algorithm.
The risk comes from so-called side channel attacks (Side-Channel AttacksSCA), a method that does not aim at the mathematics of cryptography, but at its execution. Instead of cracking a system, the attacker observes indirect signals such as power consumption or electromagnetic emissions from the chip as it processes data. From these physical “leaks”, it is possible to infer sensitive information, such as private keys.
According to the Ledger’s Donjon teamthis type of attack is already viable in real implementations of post-quantum cryptography. In tests carried out on a version open source of the ML-KEM algorithm (formerly known as Kyber), They managed to recover parts of the secret key using about 40 electromagnetic measurements, a process that can be completed in less than a minute.
As CriptoNoticias has reported, ML-KEM (Module-Lattice-based Key Encapsulation Mechanism) is a recently standardized algorithm within post-quantum cryptography. It is designed to protect key exchange even against quantum computers, based on mathematical problems considered difficult to solve. However, Ledger’s experiment showed that theoretical strength does not prevent the physical implementation from leaking information.
The implications are direct. Devices like hardware walletssmart cards, IoT systems or even mobile phones can be compromised if an attacker gains physical access and has the necessary equipment to measure these signals. In this scenario, security does not depend only on the algorithm, but on how it is implemented in the hardware.
To mitigate this risk, Ledger points out the need to incorporate specific countermeasures. Among them stand out the masking (masking), which divides the key into random parts; he shufflingwhich alters the order of operations; and desynchronization, which introduces variations in the execution time. These techniques seek to make the correlation between physical signals and processed data difficult.
The warning introduces a key nuance in the transition to post-quantum cryptography. It is not enough to adopt algorithms resistant to quantum computing: Real security will depend on them running in environments designed to avoid physical leaks. In practice, this means that users and companies will have to evaluate not only what cryptography they use, but also on what type of devices and under what conditions it is implemented.