International Association for Cryptologic Research

International Association
for Cryptologic Research

Transactions on Cryptographic Hardware and Embedded Systems 2025

KyberSlash:

Exploiting secret-dependent division timings in Kyber implementations


Daniel J. Bernstein
University of Illinois at Chicago, Chicago, IL 60607-7045, USA; Academia Sinica, Taipei, Taiwan

Karthikeyan Bhargavan
Inria, Paris, France; Cryspen, Berlin, Germany

Shivam Bhasin
National Integrated Centre for Evaluation, Nanyang Technological University, Singapore; Temasek Labs, Nanyang Technological University, Singapore

Anupam Chattopadhyay
College of Computing and Data Science, Nanyang Technological University, Singapore; Temasek Labs, Nanyang Technological University, Singapore

Tee Kiah Chia
Temasek Labs, Nanyang Technological University, Singapore

Matthias J. Kannwischer
Quantum Safe Migration Center, Chelpis Quantum Tech, Taipei, Taiwan

Franziskus Kiefer
Cryspen, Berlin, Germany

Thales B. Paiva
University of Sao Paulo, Sao Paulo, Brazil; Fundep, Belo Horizonte, Brazil; CASNAV, Rio de Janeiro, Brazil

Prasanna Ravi
College of Computing and Data Science, Nanyang Technological University, Singapore; Temasek Labs, Nanyang Technological University, Singapore

Goutam Tamvada
Cryspen, Berlin, Germany


Keywords: KyberSlash, PQC, Kyber, ML-KEM, Timing attacks, Division timing


Abstract

This paper presents KyberSlash1 and KyberSlash2 – two timing vulnerabilities in several implementations (including the official reference code) of the Kyber Post-Quantum Key Encapsulation Mechanism, recently standardized as ML-KEM. We demonstrate the exploitability of both KyberSlash1 and KyberSlash2 on two popular platforms: the Raspberry Pi 2 (Arm Cortex-A7) and the Arm Cortex-M4 microprocessor. Kyber secret keys are reliably recovered within minutes for KyberSlash2 and a few hours for KyberSlash1. We responsibly disclosed these vulnerabilities to maintainers of various libraries and they have swiftly been patched. We present two approaches for detecting and avoiding similar vulnerabilities. First, we patch the dynamic analysis tool Valgrind to allow detection of variable-time instructions operating on secret data, and apply it to more than 1000 implementations of cryptographic primitives in SUPERCOP. We report multiple findings. Second, we propose a more rigid approach to guarantee the absence of variable-time instructions in cryptographic software using formal methods.

Publication

IACR Transactions on Cryptographic Hardware and Embedded Systems, Volume 2025, Issue 2

Paper

Artifact

Artifact number
tches/2025/a9

Artifact published
July 18, 2025

Badge
IACR CHES Artifacts Functional

README

ZIP (216704 Bytes)  

View repository

License

Some files in this archive are licensed under a different license. See the contents of this archive for more information.

Note that license information is supplied by the authors and has not been confirmed by the IACR.

BibTeX How to cite

Daniel J. Bernstein, Karthikeyan Bhargavan, Shivam Bhasin, Anupam Chattopadhyay, Tee Kiah Chia, Matthias J. Kannwischer, Franziskus Kiefer, Thales B. Paiva, Prasanna Ravi, Goutam Tamvada. (2025). KyberSlash: Exploiting secret-dependent division timings in Kyber implementations. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2025(2), 209–234. https://doi.org/10.46586/tches.v2025.i2.209-234. Artifact at https://artifacts.iacr.org/tches/2025/a9.