In the implementation of the encryption algorithm, Kyber, which won the crypto algorithms contest, revealed vulnerability that allows attacks by third-party channels to recreate secret keys based on the measurement of operations time during the decoding of the sequatrust attacked.
The problem touches as a reference implementation of the keysculation mechanism Crystals-Kyber Kem, as well as many third-party encryption libraries with Kyber support, including the PQcrypto library used in the Signal messenger.
The essence of vulnerability, which received the code name kyberslash, in the use of the division operation “t = ((t Daniel J. bernstein), a well-known expert in the field of cryptography, sapel Prepare the working demonstration evidence of the possibility of an attack in practice.
Two of the three experiments conducted when performing a code on the Raspberry Pi 2 board, it was possible to fully recreate the closed Kyber-512 key based on the measurement of the time Data decoding. The method can also be adapted for Kyber-768 and Kyber-1024 keys. For a successful attack, it is necessary that the sequel tended is processed using the same pair of keys and so that the operation can accurately measure the operation.
In some libraries, another leak (Kyberslash2) has been revealed, which also occurs due to the use of a secret value in case of division. Differences from the first option boil down to calling at the encryption stage (in the functions of Poly_compress and Polyvec_compress), and not during the decryption. Moreover, the second option can be useful for attack only in cases of using the procedure in re-encryption operations, in which the output of the encrypted text is considered confidential.
The vulnerability is already eliminated in libraries:
- zig/LIB/STD/CRYPTO/KYBER_D00.zig (December 22)
- PQ-CRYSTALS/KYBER/ReF (December 30)
- symbolicsoft/kyber-k2so (December 19)