GMS-2024-382: pypqc private key retrieval vulnerability

Impact

An attacker able to submit many ciphertexts against a single private key, and to get responses in real-time, could recover the private key. This vulnerability has been named KyberSlash.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C

Patches

Version 0.0.6.1 and newer of PyPQC is patched.

Workarounds

No workarounds have been reported. The 0.0.6 -> 0.0.6.1 upgrade should be a drop-in replacement; it has no known breaking changes.

References

1. This was partially patched (“KyberSlash 1”) in the reference implementation by Peter Schwabe on December 1st, 2023. https://www.github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220

2. This was reported as a security vulnerability by Daniel J. Bernstein on December 15th, 2023. https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hWqFJCucuj4/m/-Z-jm_k9AAAJ

3. A webpage was stood up for authoritative reference about this by Daniel J. Bernstein on December 19th, 2023. https://kyberslash.cr.yp.to/

4. This was acknowledged as a security vulnerability by Thom Wiggers on December 19th, 2023. https://www.github.com/PQClean/PQClean/issues/533

5. This was completely patched (“KyberSlash 2”) in the reference implementation by Peter Schwabe on December 29th, 2023. https://www.github.com/pq-crystals/kyber/commit/11d00ff1f20cfca1f72d819e5a45165c1e0a2816

6. A proof-of-concept exploit was published by Daniel J. Bernstein on December 30th, 2023. https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/uIOqRF5BAwAJ

7. This was completely patched in upstream by Thom Wiggers on January 25th, 2024. https://www.github.com/PQClean/PQClean/pull/534#event-11595728485

8. This was completely patched in pypqc (including upload to PyPI) on January 26th, 2024. https://www.github.com/JamesTheAwesomeDude/pypqc/commit/b33fec8cd36e865f8db6215c64b2d01f429a1ed6