PQC (Post-Quantum Cryptography) 01-25-2024

Is Kyber vulnerable? A look at the math and implementation

Jeremy Rowley
Kyber Blog Hero Image

Co-authored by: Timothy Hollebeek

Recent reports indicate the Kyber ML-KEM protection against post-quantum cryptography (PQC) has a serious flaw. The full picture is more complicated—and luckily, there’s a simple way to protect your data.

Kyber weakness announcement prompts security concerns

Over the past few weeks, cybersecurity watchdogs and technology news outlets have published reports of a vulnerability in Kyber’s ability to protect data against post-quantum attacks. With the National Institute of Standards and Technology (NIST) set to announce approved standards for Kyber this year, these reports are raising alarms.

The team that identified the vulnerabilities successfully leveraged timing-based attacks to recover keys. This form of attack, known as KyberSlash1 and KyberSlash2, uses division operations to clock the length of the deciphering function. Once measured, they were able to estimate a timing that allowed them to build a key pair for encryption.

Understanding the full nature of the ML-KEM vulnerability

While it’s true these attacks can lead to a successful key derivation, it would be inaccurate to label Kyber itself as weak. The math behind Kyber is intact. The vulnerability lies in Kyber’s implementation.

Like all forms of cryptography, implementations may run faster or slower depending on the level of attention given to the precise details of the private key. It’s this implementation speed—not the encryption itself—that allows for unauthorized key recovery. Kyber is secure, and to ensure the standard is ready for post-quantum attacks, NIST issued a patch for this timing vulnerability on December 1, 2023.

The multi-faceted approach to data encryption

Because post-quantum cryptography is relatively new, there are certain to be more vulnerabilities found in Kyber and the other three algorithmic standards in development with NIST. This isn’t the result of weak cryptography in the four standards, but instead the immaturity of deployment practices in the real world.

While the cyber industry works to mature post-quantum security deployments, the best method for protecting data is to combine new algorithms with classical algorithms.

If a deployment weakness allows an attacker to gain access to secured data, that data will still be encrypted by classical algorithms. In the case of data secured only with a quantum-safe algorithm, any breach will lead immediately to decryption. But if data is secured with both quantum-safe and classical algorithms, there’s a better chance the attacker won’t be able to break the classical encryption until quantum computers arrive.

This practice of deploying classical and post-quantum cryptography in tandem helps to close off potential vulnerabilities as they’re discovered through real-world practice. It also builds quantum security on a foundation of proven cryptography, ensuring data is at least as well secured as the best standards of today, while adding some valuable protection against the quantum threat coming in the near future.

The latest developments in digital trust

Want to learn more about topics like post-quantum cryptography, crypto-agility, and enterprise security? Subscribe to the DigiCert blog to ensure you never miss a story. 

Subscribe to the blog