We previously published an update regarding the implementation of a hybrid post-quantum key exchange method across all Chrome desktop installations, ensuring seamless protection for 100% of Chrome Desktop users. The hybrid key exchange employed both the pre-quantum X25519 algorithm and the newly developed post-quantum Kyber algorithm. By that time, the NIST standardization process for Kyber had yet to be finalized.
The Kyber algorithm, since its introduction, has undergone standardization with minimal technical tweaks, ultimately being rebranded as ML-KEM.
We have implemented ML-KEM in Google’s cryptography library, allowing it to be easily deployed and used by companies that rely on this library.
The modifications to the ultimate model of ML-KEM render it incompatible with the previously deployed model of Kyber. Consequently, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber-768 with X25519, to 0x11EC for a different combination. To address this, we’ll introduce the necessary changes in Chrome version 131.:
- Chrome will transition from supporting Kyber to Multi-Layer Key Encryption (ML-KEM).
- Chrome provides a key share prediction for hybrid ML-KEM, as defined by codepoint 0x11EC.
- The PostQuantumKeyAgreementEnabled flag applies to each Kyber and ML-KEM instance individually.
- Chrome fails to support the newly added hybrid Kyber character, codepoint U+6399.
Chrome cannot simultaneously support both Kyber and ML-KEM cryptography protocols. The decision was driven by several key factors:
- To maintain Kyber’s innovative spirit, we must continually support and encourage the exploration of unconventional methods to prevent stagnation in its development process.
- Upgrading quantum cryptography requires the capacity to generate and simultaneously distribute multiple post-quantum key shares.
- Server operators can simultaneously support multiple algorithms to maintain post-quantum security and cater to a wider range of customers as newer algorithms are introduced over time.
To ensure post-quantum security for all customers, we’ll maintain our current implementation until Chrome 131, allowing server operators sufficient time to update their infrastructure.
In the long term, our goal is to overcome the challenge of predicting post-quantum key shares without getting caught in the classic “chicken-and-egg” dilemma. This feature empowers servers to publicly advertise the cryptographic algorithms they support for DNS, allowing customers to anticipate the shared secret a server is known to facilitate. By eschewing a potentially costly excursion into spherical geometry, the use of large-scale post-quantum algorithms is rendered more practical.
We’re thrilled to move forward with improving safety for Chrome users across all current and future devices.
