Google has announced a significant update to its Chrome web browser, transitioning from the previously used KYBER encryption method to the new ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) as part of its strategy to bolster defenses against the emerging threats posed by quantum computing. This change is set to take effect with the upcoming release of Chrome version 131 in early November 2024.
Key Takeaways
Google Chrome will switch from KYBER to ML-KEM for post-quantum cryptography.
The transition is part of a broader effort to secure systems against quantum computing threats.
The change will be implemented in Chrome version 131, expected in November 2024.
ML-KEM is derived from the CRYSTALS-KYBER KEM and is designed for secure key exchange.
Transitioning to ML-KEM
The Chrome team, including David Adrian, David Benjamin, Bob Beck, and Devon O'Brien, confirmed that the browser will now support a hybrid key share prediction for ML-KEM, identified by the codepoint 0x11EC. This update will also include the PostQuantumKeyAgreementEnabled flag and enterprise policy applicable to both KYBER and ML-KEM.
The decision to switch to ML-KEM comes after the U.S. National Institute of Standards and Technology (NIST) finalized new encryption algorithms aimed at protecting current systems from future quantum attacks. The algorithms include:
FIPS 203 (ML-KEM): For key encapsulation.
FIPS 204 (CRYSTALS-Dilithium): For digital signatures.
FIPS 205 (Sphincs+): For hash-based signatures.
Implications of the Change
The transition to ML-KEM means that the previously deployed version of KYBER will no longer be compatible. The codepoint for hybrid post-quantum key exchange will change from 0x6399 (for KYBER768+X25519) to 0x11EC (for ML-KEM768+X25519). This incompatibility necessitates careful planning and implementation to ensure a smooth transition for users and enterprises.
Broader Industry Response
Microsoft is also preparing for a post-quantum future by updating its SymCrypt cryptographic library to support ML-KEM and the eXtended Merkle Signature Scheme (XMSS). The company emphasized that transitioning to post-quantum cryptography is a complex, multi-year process that requires meticulous planning.
Security Concerns and Vulnerabilities
This announcement follows the discovery of a significant cryptographic flaw in Infineon security microcontrollers, which could allow attackers to extract private keys from YubiKey devices. The flaw, known as EUCLEAK (CVE-2024-45678), affects various YubiKey models and requires physical access to the device for exploitation. Yubico, the company behind YubiKey, has announced plans to phase out support for Infineon's cryptographic library in favor of its own solutions.
As quantum computing technology continues to advance, the need for robust post-quantum cryptography becomes increasingly critical. Google's shift to ML-KEM in Chrome is a proactive step towards ensuring the security of online communications in a future where quantum threats are a reality. The industry must remain vigilant and adaptive to these changes to safeguard sensitive information against potential vulnerabilities.
Staying ahead of cyber threats requires constant vigilance and cutting-edge solutions. BetterWorld Technology provides comprehensive cybersecurity services that protect your business from data breaches, ransomware, and other cyberattacks. Our team offers proactive monitoring, threat detection, and rapid incident response to ensure your systems remain secure and your data is safe. Book a consultation with us now and let BetterWorld Technology strengthen your cybersecurity posture and defend your business from the ever-evolving threat landscape.
Sources
Google Chrome Switches to ML-KEM for Post-Quantum Cryptography Defense, The Hacker News.
Comments