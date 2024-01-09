Summary:

Researchers have identified vulnerabilities in multiple implementations of the Kyber key encapsulation mechanism used for quantum-safe encryption, collectively known as KyberSlash. These flaws could potentially allow attackers to recover secret keys and compromise encryption. While patches have been released for some affected projects, others remain unpatched, leaving them vulnerable. The impact of KyberSlash depends on the specific implementation and additional security measures in place.

Timing-Based Attacks Exploit Kyber’s Division Operations

Researchers at Cryspen have discovered timing-based attacks, known as KyberSlash, that exploit the way Kyber performs division operations during the decapsulation process. By analyzing the execution time, attackers can derive secrets and potentially compromise the encryption. The vulnerabilities, named KyberSplash1 and KyberSplash2, were identified Goutam Tamvada, Karthikeyan Bhargavan, and Franziskus Kiefer.

Efforts to Fix and Patch Vulnerable Implementations

Cryspen reported KyberSlash1 to the developers of Kyber, who released a patch on December 1, 2023. However, the fix was not initially labeled as a security issue. Cryspen took a more public approach on December 15, notifying impacted projects to upgrade their Kyber implementations. On December 30, KyberSlash2 was also patched after responsible reporting Prasanna Ravi and Matthias Kannwischer. Various projects have patched their implementations, while others remain unpatched.

Impacted Projects and Fixing Status

Several projects have been identified as impacted KyberSlash vulnerabilities. Some fully patched projects include pq-crystals/kyber/ref, symbolicsoft/kyber-k2so, aws/aws-lc/crypto/kyber (main branch), and zig/lib/std/crypto/kyber_d00.zig. However, others such as antontutoveanu/crystals-kyber-javascript and rustpq/pqcrypto/pqcrypto-kyber remain unpatched. The remediation efforts are ongoing for these projects.

Understanding the Impact and Repercussions

The worst-case scenario resulting from KyberSlash is the leakage of secret keys. However, not all projects using Kyber are necessarily vulnerable to key leaks. The extent of the impact depends on the specific Kyber implementation and additional security measures in place. Mullvad VPN, for instance, states that KyberSlash does not affect its product due to the use of unique key pairs for each tunnel connection, making it difficult to perform a series of timing attacks against the same pair.

Future Steps and Engaging Impacted Projects

It is crucial for projects using Kyber to assess their vulnerability and apply the necessary patches promptly. BleepingComputer has contacted Signal to understand the impact of KyberSlash on their cryptography and users’ communications, as well as their remediation plans. The collaboration between researchers, developers, and impacted projects will play a vital role in resolving these vulnerabilities and ensuring the security of quantum-safe encryption.