Mullvad's usage of Kyber is not affected by KyberSlash
Vulnerabilities in some implementations of Kyber, the quantum-resistant key encapsulation mechanism, were recently disclosed. Mullvad’s quantum-resistant tunnels are not affected by this vulnerability, nor any vulnerability of the same kind.
The two timing-based attacks named KyberSlash1 and KyberSlash2 builds on the fact that some implementations of Kyber were not performing critical operations in constant time. If a service allows an attacker to request many such operations towards the same key pair, the attacker can then measure timing differences and slowly compute the secret key.
This type of timing-based vulnerabilities are fairly common in cryptography. And that is why Mullvad’s quantum-resistant tunnel protocol is designed in such a way that this entire class of vulnerabilities are not exploitable.
The Mullvad app computes a completely new key pair for each quantum-resistant tunnel connection. No secret key material is ever reused between two tunnels or two different users. Therefore each secret key is only used for a single encapsulation operation, so the scenario where timing differences can be measured does not exist. As a result, it does not matter if the Kyber implementations used by the Mullvad app and servers are vulnerable to KyberSlash1 and KyberSlash2 or not, the scenario in which it can be exploited does not exist.
The key pairs for quantum-resistant shared secret exchange are generated on the clients in Mullvad’s setup, and only the WireGuard server to which the client is establishing a connection can send a ciphertext to it. So no endpoint where a key encapsulation operation can be requested is ever exposed publicly or where a potential attacker could reach it. It all happens inside the encrypted WireGuard tunnel between the client and the WireGuard server.
As an extra layer of security, our quantum-resistant tunnels do not rely on only Kyber. We use two quantum-secure key encapsulation mechanisms (Kyber and Classic McEliece) and mix the secrets from both. This means that both algorithms must have exploitable vulnerabilities before the security of the VPN tunnel can become affected.