A recent discovery by researchers at Cryspen has unveiled a vulnerability in the Kyber key encapsulation mechanism used for quantum-safe encryption. Dubbed KyberSlash, this flaw could potentially allow the recovery of secret keys, compromising the encryption.
Kyber is the official implementation of the Kyber key encapsulation mechanism and is part of the Cryptographic Suite for Algebraic Lattices (CRYSTALS) suite of algorithms. It is designed to withstand attacks from quantum computers and is part of the National Institute of Standards and Technology (NIST) selection of quantum-safe algorithms.
The KyberSlash vulnerabilities are timing-based attacks that exploit certain division operations performed by Kyber during the decapsulation process. By analyzing the execution time, attackers can derive secrets that compromise the encryption. This type of attack is possible if a service implementing Kyber allows multiple operation requests towards the same key pair, enabling the measurement of timing differences and eventually computing the secret key.
Researchers at Cryspen, including Goutam Tamvada, Karthikeyan Bhargavan, and Franziskus Kiefer, discovered the problematic code responsible for the KyberSlash vulnerabilities. Upon discovering KyberSlash1, Cryspen reported it to Kyber’s developers, who released a patch on December 1, 2023. However, it was not until December 15 that Cryspen started notifying impacted projects about the need to upgrade their Kyber implementations. KyberSlash2 was subsequently patched on December 30 following discovery and responsible reporting by Prasanna Ravi and Matthias Kannwischer.
A list of impacted projects and their fixing status has been compiled. Some projects have been fully patched, while others have only received patches for KyberSlash1. Several projects still remain unpatched, leaving them vulnerable to the KyberSlash vulnerability.
The impact of KyberSlash varies depending on the Kyber implementation and the additional security measures in place. For example, Mullvad VPN states that it is not affected by KyberSlash because it uses unique key pairs for each new tunnel connection, preventing a series of timing attacks.
Efforts are underway to address the vulnerability and patch affected implementations. However, the full extent of the impact on projects such as Signal messenger and the steps they will take to mitigate the issue are yet to be determined.
It is important for organizations and developers using Kyber to stay informed about the vulnerability and promptly apply patches and updates as they become available.
The source of the article is from the blog macholevante.com