As quantum computing becomes more advanced, traditional encryption algorithms that rely on factorization and discrete logarithms will become vulnerable. This led to the development of post-quantum cryptography (PQC), which relies on mathematical problems that are believed to be hard for both classical and quantum computers to solve. However, a recent attack on one of the last remaining NIST-PQC key exchange algorithms, CRYSTALS-Kyber, has raised concerns about the security of these algorithms again and demonstrates that attackers are now focused on breaking one of the last viable candidates for key transmission.
What is a Side-Channel Attack?
A side-channel attack is a type of attack that doesn’t directly target a cryptographic algorithm but instead exploits weaknesses in the implementation of the algorithm. These weaknesses can include power consumption, electromagnetic radiation, or timing behavior. Side-channel attacks can be used to infer sensitive information, such as secret keys used by the algorithm.
The New Attack on CRYSTALS-Kyber
Recently, Swedish researchers used a combination of a machine learning AI algorithm and side-channel attacks using power lines to recover a CRYSTALS-Kyber encoded message with a probability of above 99%. This is concerning because CRYSTALS-Kyber is one of the last remaining PQC algorithms agreed upon by the US National Institute of Standards and Technology (NIST) meant to replace public PKI and protect against quantum computers. In this instance, measures will need to be taken to mitigate the attack in the implementation of CRYSTALS-Kyber.
The risks to Post-Quantum Cryptography Efforts
The CRYSTALS-Kyber attack shows serious undiscovered risks to the nascent PQC algorithms remain. This attack didn’t target the algorithm itself but exploited a weakness in the implementation, which is difficult to detect and mitigate for all platforms. This attack is a symptom of the wide variety of research and attacks that are happening today against the last remaining PQC algorithms. While this risk is not unique to PQC, it is a serious concern, as these attacks could compromise the security of post-quantum cryptographic systems.
Qrypt provides a solution for PQC, our Quantum Key Generation solution, using key generation technology that differs from other PQC solutions. Qrypt’s technology relies on true quantum random numbers to generate encryption keys at the endpoint, rather than transmitting them. The technique is more resilient because any attack on the underlying algorithm must be accomplished in under an hour. This approach can eliminate the risk of harvest and decrypt attacks with certainty. This means that Qrypt’s key generation technology is a viable solution today for organizations looking to protect their data from future attacks on post-quantum cryptography.
The recent attack on CRYSTALS-Kyber highlights the need for organizations to consider the risks to nascent PQC algorithms and solutions, as new attacks can be difficult to detect and mitigate. Implementing Qrypt’s Quantum Key Generation-based solutions can provide an immediate reduction in risk as the process of hardening future PQC algorithms occurs at industry speed.