Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Encryption Bug

Post-Quantum Encryption Algorithm KyberSlash Patched After Side-Channel Attack Discovered (bleepingcomputer.com) 12

jd (Slashdot reader #1,658) shared this story from BleepingComputer. The article notes that "Multiple implementations of the Kyber key encapsulation mechanism for quantum-safe encryption, are vulnerable to a set of flaws collectively referred to as KyberSlash, which could allow the recovery of secret keys."

jd explains that Crystals-Kyber "was chosen to be the U.S. government's post-quantum cryptography system of choice last year, but a side-channel attack has been identified. But in the article, NIST says that this is an implementation-specific attack (the reference implementation) and not a vulnerability in Kyber itself."

From the article: CRYSTALS-Kyber is the official implementation of the Kyber key encapsulation mechanism (KEM) for quantum-safe algorithm (QSA) and part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. It is designed for general encryption... The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption. If a service implementing Kyber allows multiple operation requests towards the same key pair, an attacker can measure timing differences and gradually compute the secret key...

In a KyberSlash1 demo on a Raspberry Pi system, the researchers recovered Kyber's secret key from decryption timings in two out of three attempts...

On December 30, KyberSlash2 was patched following its discovery and responsible reporting by Prasanna Ravi, a researcher at the Nanyang Technological University in Singapore, and Matthias Kannwischer, who works at the Quantum Safe Migration Center.

This discussion has been archived. No new comments can be posted.

Post-Quantum Encryption Algorithm KyberSlash Patched After Side-Channel Attack Discovered

Comments Filter:
  • by vbdasc ( 146051 ) on Saturday January 13, 2024 @09:48PM (#64156937)

    It seems that the algorithm itself is called Kyber, while Kyberslash is the name given to the vulnerability.

    • I'll edit it for free. Here ya go, EditorDavid:

      Post-Quantum Encryption Algorithm Kyber Patched After "KyberSlash" Side-Channel Attack Discovered

      • Still wrong, because the Algorithm Kyber is sound and does not need a patch; just the reference implementation.
        • by sTeF ( 8952 )
          not only the reference implementation, also other implementations had this problem, but not all.
          • > other implementations had this problem, but not all

            Oh.

            This is the real story.

            I misunderstood the original disclosure too.

            TYFYS

  • It is interesting that a fix to this appears to be coded in SPARK, which is a subset of Ada, and one can prove the application's state with it.

    Rust is awesome, but perhaps SPARK should get some headway, especially for security critical stuff, just because of the ability to actually prove what state the program can be in, something few languages can do.

    • With any reasonably sophisticated program the number of potential states (taking into account all variables and stacks) can explode exponentially as it runs so knowing the state at any given time might not do you a whole lot of good. This is the problem a lot of formal proof evangelists like to ignore.

  • Do we need any of this? AES128 is also quantum proof and is trusted.

    • Re:"Post quantum" (Score:4, Informative)

      by CaptQuark ( 2706165 ) on Sunday January 14, 2024 @01:35AM (#64157167)

      Quantum attacks

      AES-192 and AES-128 are not considered quantum resistant due to their smaller key sizes. AES-192 has a strength of 96 bits against quantum attacks and AES-128 has 64 bits of strength against quantum attacks, making them both insecure.

      https://en.wikipedia.org/wiki/... [wikipedia.org]

      • by gweihir ( 88907 )

        One should add that this is a _theoretical_ insecurity. Breaking AES with a QC requires several orders of magnitude more effective QBits that are available today and a long and complex calculation to be performed a rather large number of times (on average 2^63 times for AES-128). Also note that this is for a known-plaintext attack. Others are much harder.

        A practical attack on AES-128 using GCs is not even on the distant horizon.

    • In terms of use cases, isn't comparing Kyber with AES sort of an apples and oranges situation? Kyber is for public-private key setups, isn't it? AES is symmetric encryption - so a single private key (and reversible encryption).

  • 1) It all seems all to be really, really bad and really, really insecure. I wonder whether that is by intent.
    2) Nobody knows whether QCs will ever scale enough to break what is currently used.

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...