KyberSlash: Exploiting secret-dependent division timings in Kyber implementations

Authors

  • Daniel J. Bernstein University of Illinois at Chicago, Chicago, IL 60607-7045, USA; Academia Sinica, Taipei, Taiwan
  • Karthikeyan Bhargavan Inria, Paris, France; Cryspen, Berlin, Germany
  • Shivam Bhasin National Integrated Centre for Evaluation, Nanyang Technological University, Singapore; Temasek Labs, Nanyang Technological University, Singapore
  • Anupam Chattopadhyay College of Computing and Data Science, Nanyang Technological University, Singapore; Temasek Labs, Nanyang Technological University, Singapore
  • Tee Kiah Chia Temasek Labs, Nanyang Technological University, Singapore
  • Matthias J. Kannwischer Quantum Safe Migration Center, Chelpis Quantum Tech, Taipei, Taiwan
  • Franziskus Kiefer Cryspen, Berlin, Germany
  • Thales B. Paiva University of Sao Paulo, Sao Paulo, Brazil; Fundep, Belo Horizonte, Brazil; CASNAV, Rio de Janeiro, Brazil
  • Prasanna Ravi College of Computing and Data Science, Nanyang Technological University, Singapore; Temasek Labs, Nanyang Technological University, Singapore
  • Goutam Tamvada Cryspen, Berlin, Germany

DOI:

https://doi.org/10.46586/tches.v2025.i2.209-234

Keywords:

KyberSlash, PQC, Kyber, ML-KEM, Timing attacks, Division timing

Abstract

This paper presents KyberSlash1 and KyberSlash2 – two timing vulnerabilities in several implementations (including the official reference code) of the Kyber Post-Quantum Key Encapsulation Mechanism, recently standardized as ML-KEM. We demonstrate the exploitability of both KyberSlash1 and KyberSlash2 on two popular platforms: the Raspberry Pi 2 (Arm Cortex-A7) and the Arm Cortex-M4 microprocessor. Kyber secret keys are reliably recovered within minutes for KyberSlash2 and a few hours for KyberSlash1. We responsibly disclosed these vulnerabilities to maintainers of various libraries and they have swiftly been patched. We present two approaches for detecting and avoiding similar vulnerabilities. First, we patch the dynamic analysis tool Valgrind to allow detection of variable-time instructions operating on secret data, and apply it to more than 1000 implementations of cryptographic primitives in SUPERCOP. We report multiple findings. Second, we propose a more rigid approach to guarantee the absence of variable-time instructions in cryptographic software using formal methods.

Downloads

Published

2025-03-04

Issue

Vol. 2025 No. 2

Section

Articles

License

Copyright (c) 2025 Daniel J. Bernstein, Karthikeyan Bhargavan, Shivam Bhasin, Anupam Chattopadhyay, Tee Kiah Chia, Matthias J. Kannwischer, Franziskus Kiefer, Thales B. Paiva, Prasanna Ravi, Goutam Tamvada

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Bernstein, D. J., Bhargavan, K., Bhasin, S., Chattopadhyay, A., Chia, T. K., Kannwischer, M. J., Kiefer, F., Paiva, T. B., Ravi, P., & Tamvada, G. (2025). KyberSlash: Exploiting secret-dependent division timings in Kyber implementations. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2025(2), 209-234. https://doi.org/10.46586/tches.v2025.i2.209-234