Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1mNmpoLWh2ZzItOTUyNc4AA4iq

crystals-go vulnerable to KyberSlash (timing side-channel attack for Kyber)

Impact

On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key.

Patches

Patched in https://github.com/kudelskisecurity/crystals-go/pull/21

Note

This library was written as part of a MsC student project in the Cybersecurity Team at Kudelski Security. It is not actively maintained anymore. It is only intended for research and testing. We discourage its use in any production environment. Kudelski Security does not use this library as part of their commercial offers or product. This has now been clarified on the project's README.

References

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo
http://kyberslash.cr.yp.to/

Permalink: https://github.com/advisories/GHSA-f6jh-hvg2-9525
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNmpoLWh2ZzItOTUyNc4AA4iq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 4 months ago

Identifiers: GHSA-f6jh-hvg2-9525
References:

• https://github.com/kudelskisecurity/crystals-go/security/advisories/GHSA-f6jh-hvg2-9525
• https://github.com/kudelskisecurity/crystals-go/issues/19
• https://github.com/kudelskisecurity/crystals-go/pull/20
• https://github.com/kudelskisecurity/crystals-go/pull/21
• https://github.com/kudelskisecurity/crystals-go/commit/2a6ca2d4e64d18dd6e8fbb4e48e22c2510118505
• https://kyberslash.cr.yp.to/faq
• https://github.com/advisories/GHSA-f6jh-hvg2-9525

Repository: https://github.com/kudelskisecurity/crystals-go
Blast Radius: 0.0

Affected Packages