If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
In mid-2020 we shared here on the blog the news of the winners of the «cryptoalgorithms» contest resistant to selection in a quantum computer" and it mentioned the winner of the contest, Kyber, which was the most suitable for promotion as a standard.
The reason for talking about it is that recently The news was released that a vulnerability that affects Kyber was detected. This vulnerability Named KyberSlash, it allows attacks through side channels to reconstruct secret keys, based on measuring the time of operations during the decryption of a ciphertext provided by the attacker.
It is mentioned thate the problem affects both the reference implementation of the CRYSTALS-Kyber KEM key encapsulation mechanism, as well as many third-party libraries that support Kyber, including the pqcrypto library used in Signal (the instant messaging app).
The central problem ofe KyberSlash is related to time-based attacks. These attacks exploit the way Kyber performs certain splitting operations in its decryption process. In particular, Attackers can analyze the execution time of these operations and obtain information secret that could compromise the encryption. This vulnerability arises because the number of CPU cycles required for splitting in different environments varies depending on the splitting inputs.
The essence of KyberSlash lies in the use of the division operation «t = (((t < 1) + KYBER_Q/2)/KYBER_Q) & 1;» in the process of decoding a message. , in which the dividend contains the secret value "t" of type "double" and the divisor is the well-known public value KYBER_Q. The problem is that the time of a split operation is not constant and in different environments the number of CPU cycles performed for the split depends on the input data. Thus, from the changes in operation times, one can get an idea of the nature of the data used in the division.
To demonstrate vulnerability, Daniel J. Bernstein, a cryptography expert, managed to prepare a working demonstration demonstrating the possibility of carrying out the attack in practice. In two of the three experiments carried out when running the code on a Raspberry Pi 2, The Kyber-512 secret key was completely reconstructed based on measuring the data decoding time.
The method can also be adapted for Kyber-768 and Kyber-1024 keys and for the attack to be successful, the ciphertext provided by the attacker must be processed using the same key pair and the execution time of the operation must be able to be accurately measured.
In addition to it, it is mentioned that another variant has been identified in some libraries (KyberSlash2), which also arises from the use of a secret value during the execution of a split. The differences from the first variant come down to the call at the encryption stage (in the poly_compress and polyvec_compress functions), instead of decryption. However, the second variant may be useful for attack only in routine use cases in re-encryption operations, where the ciphertext output is considered confidential.
Currently, Efforts are being made to address these vulnerabilities, with several projects and libraries fully patched or in the process of being patched. It is essential that services that implement Kyber update their implementations to the patched versions to protect against these vulnerabilities, as these are considered important because they potentially allow the recovery of secret keys, which poses a risk to the security of quantum encryption projects.
The impact of KyberSlash depends on the specific Kyber implementation and its use cases. For example, Mullvad VPN explained that KyberSlash does not affect its product because it uses unique key pairs for each new tunnel connection, making it impossible to launch a series of synchronized attacks against the same pair.
Finally if you are interested in knowing more about it, you can check the details in the snext link.