An earlier article discussed exploring a hybrid post-quantum key exchange, and making it available for 100% of Chrome Desktop users. This hybrid key exchange combined the pre-quantum X25519 algorithm with the new post-quantum algorithm Kyber. During that time, the NIST standardization process for Kyber was still ongoing.
Subsequently, the Kyber algorithm has been standardized with slight technical modifications and rebranded as the Module Lattice Key Encapsulation Mechanism (ML-KEM). ML-KEM has been integrated into Google’s cryptography library, BoringSSL, enabling services reliant on this library to deploy and utilize it effectively.
The alterations to the final version of ML-KEM make it incompatible with the earlier version of Kyber that was deployed. Consequently, the TLS codepoint for the hybrid post-quantum key exchange is transitioning from 0x6399 for Kyber768+X25519 to 0x11EC for ML-KEM768+X25519. To accommodate this, the following modifications will be implemented in Chrome 1311:
- Chrome will shift from supporting Kyber to ML-KEM
- Chrome will provide a key prediction for the hybrid ML-KEM (codepoint 0x11EC)
- The PostQuantumKeyAgreementEnabled flag and corporate guideline will be applicable to both Kyber and ML-KEM
- Chrome will discontinue support for the hybrid Kyber (codepoint 0x6399)
Chrome will not simultaneously support Kyber and ML-KEM. This decision was made for various reasons:
- Kyber was always an experimental feature, so maintaining its support could lead to stagnation on non-standard algorithms.
- Post-quantum cryptography is too vast to accommodate two post-quantum key predictions simultaneously.
- Server administrators can temporarily facilitate both algorithms concurrently to sustain post-quantum security across a wider range of clients while gradually updating their configurations.
The intention is to not compromise the post-quantum security of any clients, hence the transition will occur with the release of Chrome 131 to allow server administrators sufficient time to adjust their setups.
In the long run, efforts are being made to resolve the challenge of post-quantum key predictions through the emerging IETF proposal for key predictions. This approach enables servers to broadcast the algorithms they support via DNS, enabling clients to predict a key share that is compatible with the server. This helps avoid unnecessary delays, especially when working with elaborate post-quantum algorithms.
We are enthusiastic about enhancing security for Chrome users, addressing current and future computational challenges.
Notes
-
Changes mentioned may be visible in Chrome Canary, Dev, and Beta versions before Chrome 131. ↩
About Author
