KYBER, which is supposed to serve as the basis for post-quantum cryptography, probably still has vulnerabilities. Researchers have found a vulnerability in software libraries that can be defeated using a timing-based attack. The National Security Agency (NSA), Facebook and Google are already relying on this.
The KYBER key encapsulation method (KEM) was developed to replace classical encryption against cryptanalytic attacks using powerful quantum computers. It was developed by a team of developers from Europe and North America and is licensed under the Apache License 2.0.
Vulnerability discovered in KYBER
Researchers have discovered a vulnerability and have been working on developing an attack. The discovered timing vulnerability arises due to the division operation in the message decoding process used in the decryption process. During the analysis, another source of timing variation was found in several patched implementations of KYBER and this vulnerability was disclosed. The same division vulnerability can also be found in the compression functions used in the encryption process.
KYBER uses a protocol that uses a series of random numbers to create a secret key, which is then used to encrypt messages. This key should be resistant even to cryptanalytic attacks using quantum computers. The process has actually been successfully tested in a series of security tests and has been deemed safe by several organizations, including the National Security Agency (NSA). Currently, KYBER is used by companies including Google, Facebook and the European Union.
There are already security patches for the so-called KyberSlash vulnerabilities 1 and 2. However, not all software projects that use KYBER are affected by the vulnerabilities.
More at Kyberslash.cr.yp.to