Brother
Professional
- Messages
- 2,590
- Reaction score
- 511
- Points
- 83
Leading applications such as Signal and Mullvad VPN may be affected.
A number of implementations of the Kyber key encapsulation mechanism used for quantum-secure encryption are subject to vulnerabilities combined under the name KyberSlash. These flaws can allow attackers to recover private keys.
CRYSTALS-Kyber is the official implementation of Kyber and part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) algorithm suite. It is designed for general encryption and is included in the National Institute of Standards and Technology (NIST) list of algorithms designed to protect against attacks on quantum computers.
Popular projects that use Kyber implementations include the Mullvad VPN service and the Signal messenger. The latter last year announced the use of CRYSTALS-Kyber as an additional layer of protection for user communications.
CyberSlash vulnerabilities are related to timing attacks that occur due to the way Kyber performs certain division operations during the decompression process. This allows attackers to analyze the execution time of operations and obtain secret information that threatens encryption.
If a service using Kyber allows multiple requests to the same key pair, an attacker can measure the difference in the execution time of operations and gradually calculate the secret key.
The problem areas of the code associated with the KyberSlash vulnerabilities (KyberSplash1 and KyberSplash2) were discovered by researchers Goutam Tamvada, Karthikeyan Bhargavan and Francis Kiefer from Cryspen.
In a demonstration of KyberSlash1 on a Raspberry Pi system, researchers recovered the Kyber secret key twice out of three attempts by decryption time .
Cryspen analysts identified the CyberSlash1 vulnerability at the end of November last year and immediately informed the Kyber developers. A patch for CyberSlash1 was developed and released on December 1, 2023.
However, the fix was not flagged as a security issue, and it wasn't until December 15 that Cryspen started informing affected projects about the need for an update.
On December 30, a patch for CyberSlash2 was released after it was discovered and responsibly reported by researchers Parasanna Ravi and Matthias Kannwischer.
As of January 2, 2024, the list of projects affected by the issue and their fix status is as follows:
Libraries that are not affected by the issue are also listed, since they do not use divisions with secret inputs.
The worst – case scenario is a secret key leak, but that doesn't mean that all projects using Kyber are vulnerable to key leaks.
The consequences of CyberSlash depend on the implementation of Kyber and may vary depending on the practical use and additional security measures.
For example, Mullvad claims that KyberSlash does not affect their VPN product, as they use unique key pairs for each new tunnel connection, which makes it impossible to conduct a series of timed attacks against the same pair.
A number of implementations of the Kyber key encapsulation mechanism used for quantum-secure encryption are subject to vulnerabilities combined under the name KyberSlash. These flaws can allow attackers to recover private keys.
CRYSTALS-Kyber is the official implementation of Kyber and part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) algorithm suite. It is designed for general encryption and is included in the National Institute of Standards and Technology (NIST) list of algorithms designed to protect against attacks on quantum computers.
Popular projects that use Kyber implementations include the Mullvad VPN service and the Signal messenger. The latter last year announced the use of CRYSTALS-Kyber as an additional layer of protection for user communications.
CyberSlash vulnerabilities are related to timing attacks that occur due to the way Kyber performs certain division operations during the decompression process. This allows attackers to analyze the execution time of operations and obtain secret information that threatens encryption.
If a service using Kyber allows multiple requests to the same key pair, an attacker can measure the difference in the execution time of operations and gradually calculate the secret key.
The problem areas of the code associated with the KyberSlash vulnerabilities (KyberSplash1 and KyberSplash2) were discovered by researchers Goutam Tamvada, Karthikeyan Bhargavan and Francis Kiefer from Cryspen.
In a demonstration of KyberSlash1 on a Raspberry Pi system, researchers recovered the Kyber secret key twice out of three attempts by decryption time .
Cryspen analysts identified the CyberSlash1 vulnerability at the end of November last year and immediately informed the Kyber developers. A patch for CyberSlash1 was developed and released on December 1, 2023.
However, the fix was not flagged as a security issue, and it wasn't until December 15 that Cryspen started informing affected projects about the need for an update.
On December 30, a patch for CyberSlash2 was released after it was discovered and responsibly reported by researchers Parasanna Ravi and Matthias Kannwischer.
As of January 2, 2024, the list of projects affected by the issue and their fix status is as follows:
- pq-crystals/kyber/ref-completely fixed
- symbolicsoft/kyber-k2so-fully fixed
- aws/aws-lc/crypto/kyber, main branch – fully fixed
- zig/lib/std/crypto/kyber_d00. zig – completely fixed
- liboqs / src/kem/kyber – fixed only for KyberSlash1
- aws/aws-lc/crypto/kyber, fips branch-2022-11-02 – fixed only for CyberSlash1
- randombit / botan-fixed only for KyberSlash1
- mupq/pqm4/crypto_kem/kyber-fixed only for KyberSlash1
- antontutoveanu/crystals-kyber-javascript-not fixed
- Argyle-Software/kyber – not fixed
- debian/src/liboqs/unstable/src/kem/kyber – not fixed
- kudelskisecurity/crystals-go-patch not released yet
- PQClean/PQClean/crypto_kem/kyber/aarch64 – not fixed
- PQClean/PQClean/crypto_kem/kyber/clean – not fixed
- rustpq/pqcrypto/pqcrypto-kyber (used in Signal) - not fixed
Libraries that are not affected by the issue are also listed, since they do not use divisions with secret inputs.
The worst – case scenario is a secret key leak, but that doesn't mean that all projects using Kyber are vulnerable to key leaks.
The consequences of CyberSlash depend on the implementation of Kyber and may vary depending on the practical use and additional security measures.
For example, Mullvad claims that KyberSlash does not affect their VPN product, as they use unique key pairs for each new tunnel connection, which makes it impossible to conduct a series of timed attacks against the same pair.
