Security News > 2024 > January > KyberSlash attacks put quantum encryption projects at risk
Some popular projects using implementations of Kyber are Mullvad VPN and Signal messenger.
The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption.
The fix wasn't labeled as a security issue, and it wasn't until December 15 that Cryspen took a more public approach and started informing impacted projects they needed to upgrade their Kyber implementations.
The worst case scenario is leaking of the secret key but this doesn't mean that all projects using Kyber are vulnerable to key leaks.
The repercussions of KyberSlash depend on the Kyber implementation and can vary depending on the practical use cases and additional security measures.
Mullvad says KyberSlash does not impact its VPN product because they're using unique key pairs for each new tunnel connection, making it impossible to perform a series of timing attacks against the same pair.