We beforehand posted about experimenting with a hybrid post-quantum key alternate, and enabling it for 100% of Chrome Desktop purchasers. The hybrid key alternate used each the pre-quantum X25519 algorithm, and the brand new post-quantum algorithm Kyber. On the time, the NIST standardization course of for Kyber had not but completed.
Since then, the Kyber algorithm has been standardized with minor technical modifications and renamed to the Module Lattice Key Encapsulation Mechanism (ML-KEM). We have now carried out ML-KEM in Google’s cryptography library, BoringSSL, which permits for it to be deployed and utilized by providers that depend upon this library.
The modifications to the ultimate model of ML-KEM make it incompatible with the beforehand deployed model of Kyber. In consequence, the codepoint in TLS for hybrid post-quantum key alternate is altering from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519. To deal with this, we might be making the next modifications in Chrome 1311:
- Chrome will swap from supporting Kyber to ML-KEM
- Chrome will supply a key share prediction for hybrid ML-KEM (codepoint 0x11EC)
- The PostQuantumKeyAgreementEnabled flag and enterprise coverage will apply to each Kyber and ML-KEM
- Chrome will not help hybrid Kyber (codepoint 0x6399)
Chrome is not going to help Kyber and ML-KEM on the similar time. We made this resolution for a number of causes:
- Kyber was at all times experimental, so we predict persevering with to help it dangers ossification on non-standard algorithms.
- Put up-quantum cryptography is too massive to have the ability to supply two post-quantum key share predictions on the similar time.
- Server operators can quickly help each algorithms on the similar time to take care of post-quantum safety with a broader set of purchasers, as they replace over time.
We don’t need to regress any purchasers’ post-quantum safety, so we’re ready till Chrome 131 to make this alteration in order that server operators have an opportunity to replace their implementations.
Long term, we hope to keep away from the chicken-and-egg downside for post-quantum key share predictions by our rising IETF draft for key share prediction. This enables servers to broadcast what algorithms they help in DNS, in order that purchasers can predict a key share {that a} server is understood to help. This avoids the chance of an additional spherical journey, which may be notably pricey when utilizing giant post-quantum algorithms.
We’re excited to proceed to enhance safety for Chrome customers, towards each present and future computer systems.
Notes