Post-Quantum Shakeup: Chrome Drops Hybrid Encryption
Google has announced significant changes in the field of post-quantum cryptography, which will impact the Chrome browser. Previously, the company had been experimenting with hybrid key exchange, combining the legacy X25519 algorithm with the post-quantum algorithm Kyber. This experiment involved 100% of Chrome’s desktop users, even though Kyber had not yet been fully finalized or standardized at the time.
Now, Kyber has completed its final stages of standardization, undergone minor technical revisions, and been renamed the Modular Lattice Key Encapsulation Mechanism (ML-KEM). Google has already integrated this algorithm into its cryptographic library, BoringSSL, making it available to all services that depend on the library.
With these new changes, ML-KEM is no longer compatible with the previously used Kyber. As a result, the TLS protocol will modify the code responsible for hybrid post-quantum key exchange: instead of 0x6399 for Kyber768+X25519, 0x11EC will be used for ML-KEM768+X25519. These changes will take effect with the release of Chrome 131, after which the browser will no longer support Kyber, fully transitioning to ML-KEM. Additionally, Chrome will introduce key exchange prediction for hybrid ML-KEM.
This decision was made for several reasons. Firstly, Kyber was merely an experiment, and continuing its support could have led to the entrenchment of non-standard algorithms. Secondly, employing two simultaneous key exchange prediction methods in post-quantum cryptography proved to be overly complex. Nevertheless, server operators will temporarily be able to support both algorithms to ensure compatibility with a broader range of clients during the update process.
The transition to ML-KEM will help prevent the degradation of client security, and the delay of changes until Chrome 131’s release will give server operators time to adapt their systems.
In the long term, Google plans to resolve post-quantum algorithm compatibility issues through a new IETF draft specification for key exchange prediction. This approach will allow servers to transmit supported algorithms via DNS, reducing unnecessary delays when using large post-quantum algorithms.
