Google has recently announced significant changes in the field of post-quantum cryptography that will impact the Chrome browser. The company had previously conducted experiments with a hybrid key exchange involving the outdated X2519 algorithm and the Kyber post-quantum algorithm. This experiment encompassed all Chrome users on desktop devices, even though the Kyber algorithm was not fully developed and standardized at the time.
Now, the Kyber algorithm has successfully completed its standardization process, undergone minor technical modifications, and received a new name – the Modular Lattice Key Encapsulation Mechanism (ML-KEM). Google has integrated this algorithm into its Boringssl cryptographic library, enabling all services dependent on this library to utilize it.
With these updates, ML-KEM is no longer compatible with the previously utilized Kyber algorithm. Consequently, the TLS protocol will modify the code responsible for the hybrid post-quantum key exchange, transitioning from using 0x6399 for Kyber768+X25519 to 0x11ec for ML-KEM768+X25519. These changes will take effect with the release of Chrome 131, at which point the browser will cease supporting Kyber and fully transition to ML-KEM. Chrome will also provide a key exchange forecast for hybrid ML-KEM.
This decision was made for various reasons. Firstly, Kyber was considered an experiment, and continued support could lead to the normalization of non-standard algorithms. Secondly, managing two key exchange forecasts for post-quantum cryptography simultaneously was deemed overly complex. However, server operators will have the option to temporarily support both algorithms to ensure compatibility with a broader range of customers during the update process.
The shift to ML-KEM will prevent any decline in customer security, and the delay in implementing changes until the release of Chrome 131 will give server operators time to adjust their systems accordingly. In the long term, Google aims to address the issue of post-quantum algorithm compatibility using a new draft IETF specification for key exchange forecasting. This approach will allow servers to convey supported algorithms via DNS, reducing unnecessary delays when employing large post-quantum algorithms.