There isn’t a practical profit for Kyber developers to have chosen a PQC key-exchange algorithm. The Kyber ransom note gives victims one week to reply. Quantum computers able to running Shor’s algorithm—the series of mathematical equations that allow the breakage of RSA and ECC (elliptic curve cryptography)—are, at a minimum, three years away and sure much further.
A Kyber variant that targets systems running VMware, meanwhile, claims to make use of ML-KEM as well. Rapid7 said its look under the hood revealed that, in truth, it uses RSA with 4096-bit keys, a strength that may take even longer for Shor’s algorithm to interrupt. Anna Širokova, a Rapid7 senior security researcher and the writer of Tuesday’s post, said the use or claimed use of ML-KEM is probably going only a branding gimmick and that implementing it required relatively little work by Kyber developers.
In an email, Širokova wrote:
First, it’s marketing to the victim. “Post-quantum encryption” sounds loads scarier than “we used AES,” especially to non-technical decision-makers who may be evaluating whether to pay. It’s a psychological trick. They’re not frightened about someone breaking the encryption a decade from now. They need payment inside 72 hours.
Second, implementation cost is low. Kyber1024 libraries (renamed to ML-KEM) can be found and well-documented. Ransomware doesn’t encrypt your files directly with Kyber1024. That will be slow. As a substitute, it:
- Generates a random AES key
- Encrypts your files with that AES key (fast)
- Encrypts that AES key with Kyber1024 (so only the attacker can decrypt it)
In Rust, there are already libraries that do Kyber1024. The developer just adds it to their dependencies and calls a function to wrap the important thing.
Despite the hype, Kyber suggests that PQC is attracting the eye of less technically inclined attorneys and executives deciding tips on how to reply to ransom demands. Kyber developers are hoping the impression that the encryption has overwhelming strength will sway people to pay.