We beforehand posted about experimenting with a hybrid post-quantum key alternate, and enabling it for 100% of Chrome Desktop shoppers. The hybrid key alternate used each the pre-quantum X25519 algorithm, and the brand new post-quantum algorithm Kyber. On the time, the NIST standardization course of for Kyber had not but completed.
Since then, the Kyber algorithm has been standardized with minor technical modifications and renamed to the Module Lattice Key Encapsulation Mechanism (ML-KEM). We now have applied ML-KEM in Google’s cryptography library, BoringSSL, which permits for it to be deployed and utilized by companies that rely on this library.
The modifications to the ultimate model of ML-KEM make it incompatible with the beforehand deployed model of Kyber. Because of this, the codepoint in TLS for hybrid post-quantum key alternate is altering from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519. To deal with this, we shall be making the next modifications in Chrome 1311:
- Chrome will change from supporting Kyber to ML-KEM
- Chrome will supply a key share prediction for hybrid ML-KEM (codepoint 0x11EC)
- The PostQuantumKeyAgreementEnabled flag and enterprise coverage will apply to each Kyber and ML-KEM
- Chrome will now not help hybrid Kyber (codepoint 0x6399)
Chrome is not going to help Kyber and ML-KEM on the similar time. We made this choice for a number of causes:
- Kyber was all the time experimental, so we expect persevering with to help it dangers ossification on non-standard algorithms.
- Publish-quantum cryptography is too massive to have the ability to supply two post-quantum key share predictions on the similar time.
- Server operators can quickly help each algorithms on the similar time to keep up post-quantum safety with a broader set of shoppers, as they replace over time.
We don’t need to regress any shoppers’ post-quantum safety, so we’re ready till Chrome 131 to make this transformation in order that server operators have an opportunity to replace their implementations.
Long term, we hope to keep away from the chicken-and-egg downside for post-quantum key share predictions by our rising IETF draft for key share prediction. This enables servers to broadcast what algorithms they help in DNS, in order that shoppers can predict a key share {that a} server is understood to help. This avoids the chance of an additional spherical journey, which will be notably expensive when utilizing giant post-quantum algorithms.
We’re excited to proceed to enhance safety for Chrome customers, in opposition to each present and future computer systems.
Notes
