rustsec-2023-0079
Vulnerability from osv_rustsec
Published
2023-12-01 12:00
Modified
2024-04-12 21:07
Summary
KyberSlash: division timings depending on secrets
Details

Various Kyber software libraries in various environments leak secret information into timing, specifically because

  • these libraries include a line of code that divides a secret numerator by a public denominator,
  • the number of CPU cycles for division in various environments varies depending on the inputs to the division, and
  • this variation appears within the range of numerators used in these libraries.

The KyberSlash pages track which Kyber libraries have this issue, and include a FAQ about the issue.

Author

The KyberSlash pages were written by Daniel J. Bernstein. The FAQ originally said "I", but some people seemed to have trouble finding this authorship statement, so the FAQ now says "Bernstein" instead.

URL

The permanent link for the KyberSlash pages is https://kyberslash.cr.yp.to.

Mitigation status in pqc_kyber crate

The issue has not been resolved in the upstream pqc_kyber crate.

A third-party fork that mitigates this attack vector has been published as safe_pqc_kyber.

Alternatives

The ml-kem crate is a maintained alternative pure Rust implementation of ML-KEM / Kyber.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "crypto-failure"
        ],
        "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "pqc_kyber",
        "purl": "pkg:cargo/pqc_kyber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-x5j2-g63m-f8g4"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Various Kyber software libraries in various environments leak secret information into timing, specifically because\n\n * these libraries include a line of code that divides a secret numerator by a public denominator,\n * the number of CPU cycles for division in various environments varies depending on the inputs to the division, and\n * this variation appears within the range of numerators used in these libraries.\n\nThe KyberSlash pages track which Kyber [libraries](https://kyberslash.cr.yp.to/libraries.html) have this issue, and include a [FAQ](https://kyberslash.cr.yp.to/faq.html) about the issue.\n\n## Author\n\nThe KyberSlash pages were written by Daniel J. Bernstein. The FAQ originally said \"I\", but some people seemed to have trouble finding this authorship statement, so the FAQ now says \"Bernstein\" instead.\n\n## URL\n\nThe permanent link for the KyberSlash pages is [https://kyberslash.cr.yp.to](https://kyberslash.cr.yp.to).\n\n## Mitigation status in `pqc_kyber` crate\n\nThe issue has not been resolved in the upstream `pqc_kyber` crate.\n\nA third-party fork that mitigates this attack vector has been published as [`safe_pqc_kyber`](https://crates.io/crates/safe_pqc_kyber).\n\n## Alternatives\n\nThe [`ml-kem`](https://crates.io/crates/ml-kem) crate is a maintained\nalternative pure Rust implementation of ML-KEM / Kyber.",
  "id": "RUSTSEC-2023-0079",
  "modified": "2024-04-12T21:07:31Z",
  "published": "2023-12-01T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/pqc_kyber"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0079.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/Argyle-Software/kyber/issues/108"
    },
    {
      "type": "WEB",
      "url": "https://kyberslash.cr.yp.to/faq.html"
    },
    {
      "type": "WEB",
      "url": "https://kyberslash.cr.yp.to/libraries.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bwesterb/argyle-kyber/commit/b5c6ad13f4eece80e59c6ebeafd787ba1519f5f6"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "KyberSlash: division timings depending on secrets"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.