Lib.rs

› pqc_kyber › Reviews

RUSTSEC-2023-0079 on 2023-12-01: KyberSlash: division timings depending on secrets

Various Kyber software libraries in various environments leak secret information into timing, specifically because

these libraries include a line of code that divides a secret numerator by a public denominator,
the number of CPU cycles for division in various environments varies depending on the inputs to the division, and
this variation appears within the range of numerators used in these libraries.

The KyberSlash pages track which Kyber libraries have this issue, and include a FAQ about the issue.

Author

The KyberSlash pages were written by Daniel J. Bernstein. The FAQ originally said "I", but some people seemed to have trouble finding this authorship statement, so the FAQ now says "Bernstein" instead.

URL

The permanent link for the KyberSlash pages is https://kyberslash.cr.yp.to.

Mitigation status in `pqc_kyber` crate

The issue has not been resolved in the upstream pqc_kyber crate.

A third-party fork that mitigates this attack vector has been published as safe_pqc_kyber.

Alternatives

The ml-kem crate is a maintained alternative pure Rust implementation of ML-KEM / Kyber.

https://kyberslash.cr.yp.to/faq.html

https://kyberslash.cr.yp.to/libraries.html

https://github.com/bwesterb/argyle-kyber/commit/b5c6ad13f4eece80e59c6ebeafd787ba1519f5f6

GHSA-x5j2-g63m-f8g4

This crate has no reviews yet. To add a review, set up your cargo-crev.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.

To review the actual code of the crate, it's best to use cargo crev open pqc_kyber. Alternatively, you can download the tarball of pqc_kyber v0.7.1 or view the source online.