RUSTSEC-2023-0079
on 2023-12-01: KyberSlash: division timings depending on secrets
This crate has no reviews yet. To add a review, set up your cargo-crev.
Lib.rs has been able to verify that all files in the crate's tarball, except Cargo.lock,
are in the crate's repository. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.
To review the actual code of the crate, it's best to use cargo crev open pqc_kyber. Alternatively, you can download the tarball of pqc_kyber v0.7.1 or view the source online.
Various Kyber software libraries in various environments leak secret information into timing, specifically because
The KyberSlash pages track which Kyber libraries have this issue, and include a FAQ about the issue.
Author
The KyberSlash pages were written by Daniel J. Bernstein. The FAQ originally said "I", but some people seemed to have trouble finding this authorship statement, so the FAQ now says "Bernstein" instead.
URL
The permanent link for the KyberSlash pages is https://kyberslash.cr.yp.to.
Mitigation status in
pqc_kybercrateThe issue has not been resolved in the upstream
pqc_kybercrate.A third-party fork that mitigates this attack vector has been published as
safe_pqc_kyber.Alternatives
The
ml-kemcrate is a maintained alternative pure Rust implementation of ML-KEM / Kyber.https://kyberslash.cr.yp.to/faq.html
https://kyberslash.cr.yp.to/libraries.html
https://github.com/bwesterb/argyle-kyber/commit/b5c6ad13f4eece80e59c6ebeafd787ba1519f5f6
GHSA-x5j2-g63m-f8g4