Reported

December 1, 2023

Issued

February 9, 2024 (last modified: April 12, 2024)

Package

pqc_kyber (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Keywords

#timing-attack

Aliases

• GHSA-x5j2-g63m-f8g4

References

• https://github.com/Argyle-Software/kyber/issues/108
• https://kyberslash.cr.yp.to/faq.html
• https://kyberslash.cr.yp.to/libraries.html
• https://github.com/bwesterb/argyle-kyber/commit/b5c6ad13f4eece80e59c6ebeafd787ba1519f5f6

CVSS Score

7.4 HIGH

CVSS Details

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Patched

no patched versions

Description

Various Kyber software libraries in various environments leak secret information into timing, specifically because

• these libraries include a line of code that divides a secret numerator by a public denominator,
• the number of CPU cycles for division in various environments varies depending on the inputs to the division, and
• this variation appears within the range of numerators used in these libraries.

The KyberSlash pages track which Kyber libraries have this issue, and include a FAQ about the issue.

Author

The KyberSlash pages were written by Daniel J. Bernstein. The FAQ originally said "I", but some people seemed to have trouble finding this authorship statement, so the FAQ now says "Bernstein" instead.

URL

The permanent link for the KyberSlash pages is https://kyberslash.cr.yp.to.

Mitigation status in pqc_kyber crate

The issue has not been resolved in the upstream pqc_kyber crate.

A third-party fork that mitigates this attack vector has been published as safe_pqc_kyber.

Alternatives

The ml-kem crate is a maintained alternative pure Rust implementation of ML-KEM / Kyber.

Advisory available under CC0-1.0 license.