Vulnerability DatabaseGHSA-9763-4f94-gfch

GHSA-9763-4f94-gfch:
vulnerability analysis and mitigation

Overview

CIRCL's Kyber implementation contains a timing side-channel vulnerability (known as kyberslash2) that affects versions prior to 1.3.7. The vulnerability was discovered in early 2024 and relates to timing variations in the division operations during Kyber's ciphertext compression (GitHub Advisory).

Technical details

The vulnerability stems from timing variations in division operations where CPU cycles for division vary depending on inputs, specifically when dividing a secret numerator by a public denominator. This variation occurs within the range of numerators used in the implementation, potentially leaking secret information through timing analysis (KyberSlash).

Impact

When an attacker can time decapsulation operations on forged ciphertexts, they could potentially learn parts of the secret key. However, this vulnerability does not affect ephemeral usage scenarios, such as typical TLS implementations (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in version 1.3.7 of CIRCL. The fix involves removing division by q in ciphertext compression and replacing it with alternative computation methods that don't exhibit timing variations (GitHub Commit).