Chrome Switching To NIST-Approved ML-KEM Quantum Encryption (bleepingcomputer.com) 52
Google is updating the post-quantum cryptography in Chrome, replacing the experimental Kyber with the fully standardized Module Lattice Key Encapsulation Mechanism (ML-KEM) to enhance protection against quantum computing attacks. BleepingComputer reports: This change comes roughly five months after Google rolled out the post-quantum secure TLS key encapsulation system on Chrome stable for all users, which also caused some problems with TLS exchanges. The move from Kyber to ML-KEM though is not related to those early problems, that got resolved soon after manifesting. Rather, its a strategic choice to abandon an experimental system for a NIST-approved and fully standardized mechanism.
ML-KEM was fully endorsed by the U.S. National Institute of Standards and Technology (NIST) in mid-August, with the agency publishing the complete technical specifications of the final version at the time. Google explains that despite the technical changes from Kyber to ML-KEM being minor, the two are essentially incompatible, so a switch had to be made. "The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber," explains Google. "As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519."
ML-KEM was fully endorsed by the U.S. National Institute of Standards and Technology (NIST) in mid-August, with the agency publishing the complete technical specifications of the final version at the time. Google explains that despite the technical changes from Kyber to ML-KEM being minor, the two are essentially incompatible, so a switch had to be made. "The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber," explains Google. "As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519."
Was any existing encryption actually broken? (Score:2)
I am far from knowing much about encryption and quantum computer capabilities today but I do not recall any such breach.
Are quantum technologies near such capability? I do not think so. So why now? Is it just an for bragging rights?
Re:Was any existing encryption actually broken? (Score:5, Informative)
Too many passwords to remember. (Score:2)
Re:Too many passwords to remember. (Score:4, Funny)
it's more secure if you print the passwords without any ink in the printer.
Re: (Score:1)
Re: Too many passwords to remember. (Score:2)
Re: (Score:2)
Re: (Score:2)
Maybe handwriting be better? My handwriting has a built-in encryption so it is safe in plane view. Though I seem to have lost the key to decrypt it.
Re: (Score:3)
Re: (Score:2)
That said, one obvious concern in the other direction is that the encryption schemes which we are hoping to be resistant to quantum computing based attacks have had much less attention given to them (in part due to them simply being much younger), and thus we have less certainty that they are even classically good encryption. And we've had now multiple examples of supposedly quantum resistant algorithms being cracked by completely classical methods. See for example :https://cacm.acm.org/news/nist-post-quantum-cryptography-candidate-cracked/ [slashdot.org]. So switching to these new algorithms may be creating new vulnerabilities to deal with a threat that has not yet substantially emerged.
Which is why no one is suggesting moving to a post-quantum algorithm alone. What Chrome is implementing is a hybrid key exchange, ML-KEM768+X25519 (the X25519 part is a standard elliptical curve cypher). Unless your implementation is absolutely terrible, you can't decrease security by layering on multiple encryption schemes, so even if ML-KEM is no more secure than ROT13, it still won't introduce any new vulnerability.
Re: (Score:2)
Re: (Score:2)
Are quantum technologies near such capability?
No.
So why now?
https://miracl.com/blog/backdo... [miracl.com]
Re: (Score:3)
No, but you don't WAIT for your thing to be compromised when you know it's only a matter of time, when you can literally deploy an alternative now and have 10+ years of real-world testing of it by the time it's actually necessary.
Secure protocols.... secure things. It's dumb to wait until they're compromised before you do anything.
And we KNOW for a fact that AES etc. is vulnerable to quantum attacks, and that many governments and companies are producing viable quantum computers that are increasing in size
Re: (Score:2)
you don't WAIT for your thing to be compromised when you know it's only a matter of time, when you can literally deploy an alternative now and have 10+ years of real-world testing of it by the time it's actually necessary
I want 10+ years of real-world testing before I adopt it to make sure that NIST isn't pushing us another compromised cryptosystem.
And we KNOW for a fact that AES etc. is vulnerable to quantum attacks
Yes, if you use such a small key that you could do the decryption by hand. The question is, will quantum computers ever actually even scale up to the point that this is a real concern? And we don't know the answer, so that does merit some caution, but NIST's prior actions also merit caution.
Re: Was any existing encryption actually broken? (Score:2)
Symmetric ciphers, such as AES-128 or AES-256, will remain secure because breaking them requires a serious back door or decrypting with every possible key until a solution is found.
RSA and ECC are asymmetric ciphers and are based on mathematics using large integers. Quantum computers are using algorithms to either factor the public keys or crack the code.
ML-KEM is for key exchange and uses a different model using lattice math and Learning with Errors.
Not sure why Google says thing changed significantly sin
Re: (Score:2)
The solution however is to change keys often. Quantum computing means change keys even more often. AES and similar stuff will stick around for the workhorse of encrypt/decrypt/authenticate, but the complex methods are for the key generation. Ie, symmetric cipher like AES for most of the stuff, but asymmetric ciphers like ECC (or the newer NIST linear algorithms) for key generation and exchange.
AES is fast, and maybe this helps a little with brute force attacks, but practically speaking any algorithm with
Re: (Score:2)
No, but you don't WAIT for your thing to be compromised when you know it's only a matter of time, when you can literally deploy an alternative now and have 10+ years of real-world testing of it by the time it's actually necessary.
How do you know it is only a matter of time? Are there any known means of enabling exponential scaling of quantum computers?
And we KNOW for a fact that AES etc. is vulnerable to quantum attacks
Bullshit.
and that many governments and companies are producing viable quantum computers that are increasing in size all the time.
While it is certain analog and quantum computers have a bright future ahead of them and will certainly become far more powerful and far cheaper in the future there is still no exponential scaling happening or that can be reasonably predicted to happen.
Re: (Score:2)
Clearly you're an expert in the field and absolutely unarguable with, so I won't bother too much.
A paper from 2017 (so already 7 years out of date):
https://www.etsi.org/deliver/e... [etsi.org]
"This can result in AES-128 being feasible to crack, but AES-256 is still considered quantum resistantâ"at least until 2050"
Note "resistant" - not proof. And note that 128bit is actually "feasible to crack". And that's if they haven't underestimated a single thing in their analysis. What if they are wrong, what if quantum
Re: (Score:2)
Imagine classical encryption is cracked via commercially available methods in 2030.
Now imagine I can open up all of your banking transactions and emails (which I have intercepted and recorded) from the years 2020-2029, and decrypt them.
Do you think that information has value, or not?
Re: (Score:2)
Or... 2030 has new quantum computing cracks available, and black hat hackers are now using them. And only THEN do banks decide that they need to upgrade their security, but they can't because also the browsers haven't been updated because Slashdot told them it was too soon, and chip makers haven't updated yet because they were waiting until there was a real quantum hack first before expending valuable profits, so now things remain vulnerable until 2033, and for some slower companies maybe not until 2040...
Re: (Score:2)
Re: (Score:2)
Sure, better to be proactive here. Though I do not think we are anywhere close technologically to even try., right? On the other hand, NIST or not who know what we will be able to try to break in the future.
Re: (Score:2)
No, but given how long it takes to update everyone to new security methods, such as a decade or more, then everyone needs to get ready for this now.
The computing industry is resistant to change - standards are often about carving ad-hoc or existing solutions into stone rather than doing what is technically best (or in this case, stronger crypto). Ie, stick with the standard that's already out in the field because you need to interoperate.
Going to something new causes problems. Which is exactly an issue Cho
Suspicious (Score:1)
Re: (Score:3)
Because you're paranoid?
Last time NIST told us to make a big change, they told us to change to a compromised system. It's not paranoid to think they might be doing it again.
Re: (Score:2)
Because you're paranoid?
'Just because you're paranoid doesn't mean they aren't after you.' Joseph Heller, Catch-22
Re: (Score:3)
>> Because you're paranoid?
Nope. NIST is widely and demonstrably known for putting backdoored crypto into norms.
Re: (Score:2)
>> Because you're paranoid?
Nope. NIST is widely and demonstrably known for putting backdoored crypto into norms.
Well, duh - you want that backdoor stuff properly standardized; do you remember how grrreat everybody rolling their own security turned out?
Re: (Score:2)
Re: (Score:1)
Why do I get the feeling that the "approved" system has backdoors that are already known by interested parties
Don't worry - everyone else will figure out a hack before long, and it will be back to equal-opportunity eavesdropping.
That is a very bad idea (Score:4, Informative)
Post-quantum encryption is _not_ ready for prime-time. At this time, it must be regarded as significantly less secure than conventional encryption. In addition, it is completely unclear whether QCs will ever amount to anything. The 12 error corrected QBITs that IBM proudly announced a few days back, are for example enough to factor RSA keys up to 15. That can be done manually with an Abacus. And that is after about 50 years or research. The transistor is about 80 years old at this time, and look what it has scaled too. For QCs it is unclear whether they will ever scale. Hence it is massively premature to rip out well-reviewed ciphers due to the "threat" of QCs and all it does is decrease security.
Re: (Score:2)
a sensible alternative would use both "old" and "new" algorithms in series (i.e. encrpt with one, then encrypt the result with the new one)
At least until proven.
Re: (Score:3)
That's exactly what they are doing: EC crypto wrapped in a post-quantum cipher.
Re: (Score:2)
You do know that EC is suspect as well, right?
Re: (Score:2)
That is rather risky. Layering encryption is something that can decrease your security. At the very least you need to restrict yourself to stream-mode and encrypt in parallel. That comes with other potential problems though.
Re: (Score:2)
Re: (Score:2)
My "game" is understanding how secure cryptology evolves. It requires a decade or two of expert review and attempts to break it. The "post quantum" stuff already has had some really ridiculous failures. And the attacker model is purely speculative. Hence I, rightfully, expect some other agenda here. It would not be the first time that NIST, in orders from the NSA, pushes backdoored or insecure cryptography.
You, on the other hand, seem to try to manipulate general opinion, by using classical PyOps (and marke
Re: (Score:2)
That's exactly why the new NIST approved system uses both the new QC resistant key exchange AND the currently used ECDH key exchange.
That way, you need to break both the older proven key exchange method and the new QC resistant one.
Re: (Score:2)
You really think they are going to run two key-exchanges?
Quantum or Climate (Score:2)
What is going to kill us sooner, quantum computing or climate change? Too close to call. Must take measures now.
Approved? Now I feel better (Score:2)
Using Chrome. Only Google can have all my data.