Post-Quantum Encryption Algorithm KyberSlash Patched After Side-Channel Attack Discovered (bleepingcomputer.com) 12
jd (Slashdot reader #1,658) shared this story from BleepingComputer. The article notes that "Multiple implementations of the Kyber key encapsulation mechanism for quantum-safe encryption, are vulnerable to a set of flaws collectively referred to as KyberSlash, which could allow the recovery of secret keys."
jd explains that Crystals-Kyber "was chosen to be the U.S. government's post-quantum cryptography system of choice last year, but a side-channel attack has been identified. But in the article, NIST says that this is an implementation-specific attack (the reference implementation) and not a vulnerability in Kyber itself."
From the article: CRYSTALS-Kyber is the official implementation of the Kyber key encapsulation mechanism (KEM) for quantum-safe algorithm (QSA) and part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. It is designed for general encryption... The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption. If a service implementing Kyber allows multiple operation requests towards the same key pair, an attacker can measure timing differences and gradually compute the secret key...
In a KyberSlash1 demo on a Raspberry Pi system, the researchers recovered Kyber's secret key from decryption timings in two out of three attempts...
On December 30, KyberSlash2 was patched following its discovery and responsible reporting by Prasanna Ravi, a researcher at the Nanyang Technological University in Singapore, and Matthias Kannwischer, who works at the Quantum Safe Migration Center.
jd explains that Crystals-Kyber "was chosen to be the U.S. government's post-quantum cryptography system of choice last year, but a side-channel attack has been identified. But in the article, NIST says that this is an implementation-specific attack (the reference implementation) and not a vulnerability in Kyber itself."
From the article: CRYSTALS-Kyber is the official implementation of the Kyber key encapsulation mechanism (KEM) for quantum-safe algorithm (QSA) and part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. It is designed for general encryption... The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption. If a service implementing Kyber allows multiple operation requests towards the same key pair, an attacker can measure timing differences and gradually compute the secret key...
In a KyberSlash1 demo on a Raspberry Pi system, the researchers recovered Kyber's secret key from decryption timings in two out of three attempts...
On December 30, KyberSlash2 was patched following its discovery and responsible reporting by Prasanna Ravi, a researcher at the Nanyang Technological University in Singapore, and Matthias Kannwischer, who works at the Quantum Safe Migration Center.
Wrong title? (Score:3)
It seems that the algorithm itself is called Kyber, while Kyberslash is the name given to the vulnerability.
Re: (Score:3)
I'll edit it for free. Here ya go, EditorDavid:
Post-Quantum Encryption Algorithm Kyber Patched After "KyberSlash" Side-Channel Attack Discovered
Re: Wrong title? (Score:2)
Re: (Score:2)
Re: (Score:2)
> other implementations had this problem, but not all
Oh.
This is the real story.
I misunderstood the original disclosure too.
TYFYS
Fix coded in SPARK? (Score:2)
It is interesting that a fix to this appears to be coded in SPARK, which is a subset of Ada, and one can prove the application's state with it.
Rust is awesome, but perhaps SPARK should get some headway, especially for security critical stuff, just because of the ability to actually prove what state the program can be in, something few languages can do.
Re: Fix coded in SPARK? (Score:2)
With any reasonably sophisticated program the number of potential states (taking into account all variables and stacks) can explode exponentially as it runs so knowing the state at any given time might not do you a whole lot of good. This is the problem a lot of formal proof evangelists like to ignore.
"Post quantum" (Score:2)
Do we need any of this? AES128 is also quantum proof and is trusted.
Re:"Post quantum" (Score:4, Informative)
Quantum attacks
AES-192 and AES-128 are not considered quantum resistant due to their smaller key sizes. AES-192 has a strength of 96 bits against quantum attacks and AES-128 has 64 bits of strength against quantum attacks, making them both insecure.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:3)
One should add that this is a _theoretical_ insecurity. Breaking AES with a QC requires several orders of magnitude more effective QBits that are available today and a long and complex calculation to be performed a rather large number of times (on average 2^63 times for AES-128). Also note that this is for a known-plaintext attack. Others are much harder.
A practical attack on AES-128 using GCs is not even on the distant horizon.
Re: (Score:2)
In terms of use cases, isn't comparing Kyber with AES sort of an apples and oranges situation? Kyber is for public-private key setups, isn't it? AES is symmetric encryption - so a single private key (and reversible encryption).
Stay far away from the "post-quantum" crap (Score:2)
1) It all seems all to be really, really bad and really, really insecure. I wonder whether that is by intent.
2) Nobody knows whether QCs will ever scale enough to break what is currently used.