Chrome Switching To NIST-Approved ML-KEM Quantum Encryption

Google is updating the post-quantum cryptography in Chrome, replacing the experimental Kyber with the fully standardized Module Lattice Key Encapsulation Mechanism (ML-KEM) to enhance protection against quantum computing attacks. BleepingComputer reports: This change comes roughly five months after Google rolled out the post-quantum secure TLS key encapsulation system on Chrome stable for all users, which also caused some problems with TLS exchanges. The move from Kyber to ML-KEM though is not related to those early problems, that got resolved soon after manifesting. Rather, its a strategic choice to abandon an experimental system for a NIST-approved and fully standardized mechanism.

ML-KEM was fully endorsed by the U.S. National Institute of Standards and Technology (NIST) in mid-August, with the agency publishing the complete technical specifications of the final version at the time. Google explains that despite the technical changes from Kyber to ML-KEM being minor, the two are essentially incompatible, so a switch had to be made. "The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber," explains Google. "As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519."

Was any existing encryption actually broken?

[4wdloop]

I am far from knowing much about encryption and quantum computer capabilities today but I do not recall any such breach.
Are quantum technologies near such capability? I do not think so. So why now? Is it just an for bragging rights?

Re:Was any existing encryption actually broken?

[JoshuaZ]

There's concern about people engaging in what is called "Store Now, Decrypt Later" or "Harvest Now, Decrypt Later" https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later [wikipedia.org] where powerful actors (such as various intelligence agencies and large criminal organizations) will store large amounts of encrypted information and then go back and decrypt it once the quantum computers are available. This is a legitimate concern. That said, one obvious concern in the other direction is that the encryption schemes which we are hoping to be resistant to quantum computing based attacks have had much less attention given to them (in part due to them simply being much younger), and thus we have less certainty that they are even classically good encryption. And we've had now multiple examples of supposedly quantum resistant algorithms being cracked by completely classical methods. See for example :https://cacm.acm.org/news/nist-post-quantum-cryptography-candidate-cracked/ [slashdot.org]. So switching to these new algorithms may be creating new vulnerabilities to deal with a threat that has not yet substantially emerged. It might make sense to start having two tiers of encryption one for data where Store Now, Decrypt Later is a threat, and another for things where they are just not that time sensitive.

Too many passwords to remember.

[Monster_user]

That reminds me, I need to buy ink for my printer so that I can print out all my passwords in plain text and store them in a fireproof safe for later retrieval. "Store Now, Remember Later".

Re:Too many passwords to remember.

[stooo]

it's more secure if you print the passwords without any ink in the printer.

Re:

[Monster_user]

It is not necessarily more secure when considering the "C.I.A." triad. Confidentiality, Integrity, and Availability. Printing without ink will maintain data confidentiality, but it will not ensure Availability.

Re: Too many passwords to remember.

[BadgerStork]

Confidentiality, Integrity, and Availability AND future proofing against sci-fi attacks from the future!

FOOL! Those are the wrong tools!

[mmell]

Use 3M Post-it notes and a black Sharpie marker.

Re:

[4wdloop]

Maybe handwriting be better? My handwriting has a built-in encryption so it is safe in plane view. Though I seem to have lost the key to decrypt it.

Re:

[JoshuaZ]

Not all protocols can be easily wrapped. Also, there's a serious convenience/computational issue if people have to do more heavy duty computations.

Re:

[Baloroth]

That said, one obvious concern in the other direction is that the encryption schemes which we are hoping to be resistant to quantum computing based attacks have had much less attention given to them (in part due to them simply being much younger), and thus we have less certainty that they are even classically good encryption. And we've had now multiple examples of supposedly quantum resistant algorithms being cracked by completely classical methods. See for example :https://cacm.acm.org/news/nist-post-quantum-cryptography-candidate-cracked/ [slashdot.org]. So switching to these new algorithms may be creating new vulnerabilities to deal with a threat that has not yet substantially emerged.

Which is why no one is suggesting moving to a post-quantum algorithm alone. What Chrome is implementing is a hybrid key exchange, ML-KEM768+X25519 (the X25519 part is a standard elliptical curve cypher). Unless your implementation is absolutely terrible, you can't decrease security by layering on multiple encryption schemes, so even if ML-KEM is no more secure than ROT13, it still won't introduce any new vulnerability.

Re:

[drinkypoo]

Are quantum technologies near such capability?

No.

So why now?

https://miracl.com/blog/backdo... [miracl.com]

Re:

[ledow]

No, but you don't WAIT for your thing to be compromised when you know it's only a matter of time, when you can literally deploy an alternative now and have 10+ years of real-world testing of it by the time it's actually necessary.

Secure protocols.... secure things. It's dumb to wait until they're compromised before you do anything.

And we KNOW for a fact that AES etc. is vulnerable to quantum attacks, and that many governments and companies are producing viable quantum computers that are increasing in size

Re:

[drinkypoo]

you don't WAIT for your thing to be compromised when you know it's only a matter of time, when you can literally deploy an alternative now and have 10+ years of real-world testing of it by the time it's actually necessary

I want 10+ years of real-world testing before I adopt it to make sure that NIST isn't pushing us another compromised cryptosystem.

And we KNOW for a fact that AES etc. is vulnerable to quantum attacks

Yes, if you use such a small key that you could do the decryption by hand. The question is, will quantum computers ever actually even scale up to the point that this is a real concern? And we don't know the answer, so that does merit some caution, but NIST's prior actions also merit caution.

Re: Was any existing encryption actually broken?

[Ronin Developer]

Symmetric ciphers, such as AES-128 or AES-256, will remain secure because breaking them requires a serious back door or decrypting with every possible key until a solution is found.

RSA and ECC are asymmetric ciphers and are based on mathematics using large integers. Quantum computers are using algorithms to either factor the public keys or crack the code.

ML-KEM is for key exchange and uses a different model using lattice math and Learning with Errors.

Not sure why Google says thing changed significantly sin

Re:

[Darinbob]

The solution however is to change keys often. Quantum computing means change keys even more often. AES and similar stuff will stick around for the workhorse of encrypt/decrypt/authenticate, but the complex methods are for the key generation. Ie, symmetric cipher like AES for most of the stuff, but asymmetric ciphers like ECC (or the newer NIST linear algorithms) for key generation and exchange.

AES is fast, and maybe this helps a little with brute force attacks, but practically speaking any algorithm with

Re:

[WaffleMonster]

No, but you don't WAIT for your thing to be compromised when you know it's only a matter of time, when you can literally deploy an alternative now and have 10+ years of real-world testing of it by the time it's actually necessary.

How do you know it is only a matter of time? Are there any known means of enabling exponential scaling of quantum computers?

And we KNOW for a fact that AES etc. is vulnerable to quantum attacks

Bullshit.

and that many governments and companies are producing viable quantum computers that are increasing in size all the time.

While it is certain analog and quantum computers have a bright future ahead of them and will certainly become far more powerful and far cheaper in the future there is still no exponential scaling happening or that can be reasonably predicted to happen.

Re:

[ledow]

Clearly you're an expert in the field and absolutely unarguable with, so I won't bother too much.

A paper from 2017 (so already 7 years out of date):
https://www.etsi.org/deliver/e... [etsi.org]

"This can result in AES-128 being feasible to crack, but AES-256 is still considered quantum resistantâ"at least until 2050"

Note "resistant" - not proof. And note that 128bit is actually "feasible to crack". And that's if they haven't underestimated a single thing in their analysis. What if they are wrong, what if quantum

Re:

[brunes69]

Imagine classical encryption is cracked via commercially available methods in 2030.

Now imagine I can open up all of your banking transactions and emails (which I have intercepted and recorded) from the years 2020-2029, and decrypt them.

Do you think that information has value, or not?

Re:

[Darinbob]

Or... 2030 has new quantum computing cracks available, and black hat hackers are now using them. And only THEN do banks decide that they need to upgrade their security, but they can't because also the browsers haven't been updated because Slashdot told them it was too soon, and chip makers haven't updated yet because they were waiting until there was a real quantum hack first before expending valuable profits, so now things remain vulnerable until 2033, and for some slower companies maybe not until 2040...

Not broken, but considered vulnerable.

[mmell]

I'd rather fix my crypto before it's broken. I don't want to hear about how my data was stolen, I'd much rather be reasonably assured that it wasn't.

Re:

[4wdloop]

Sure, better to be proactive here. Though I do not think we are anywhere close technologically to even try., right? On the other hand, NIST or not who know what we will be able to try to break in the future.

Re:

[Darinbob]

No, but given how long it takes to update everyone to new security methods, such as a decade or more, then everyone needs to get ready for this now.

The computing industry is resistant to change - standards are often about carving ad-hoc or existing solutions into stone rather than doing what is technically best (or in this case, stronger crypto). Ie, stick with the standard that's already out in the field because you need to interoperate.

Going to something new causes problems. Which is exactly an issue Cho

Suspicious

[Lobotomy656]

Why do I get the feeling that the "approved" system has backdoors that are already known by interested parties and the experimental one didn't have them or was reluctant to implement them?

Re:

[drinkypoo]

Because you're paranoid?

Last time NIST told us to make a big change, they told us to change to a compromised system. It's not paranoid to think they might be doing it again.

Re:

[nicubunu]

Because you're paranoid?

'Just because you're paranoid doesn't mean they aren't after you.' Joseph Heller, Catch-22

Re:

[stooo]

>> Because you're paranoid?
Nope. NIST is widely and demonstrably known for putting backdoored crypto into norms.

Re:

[Briareos]

>> Because you're paranoid?
Nope. NIST is widely and demonstrably known for putting backdoored crypto into norms.

Well, duh - you want that backdoor stuff properly standardized; do you remember how grrreat everybody rolling their own security turned out?

Being paranoid doesn't mean he's wrong.

[mmell]

I'm a UNIX Engineer - I get paid perfectly good money to be paranoid. It's not a great job, but it's a living!

Re:

[Black Parrot]

Why do I get the feeling that the "approved" system has backdoors that are already known by interested parties

Don't worry - everyone else will figure out a hack before long, and it will be back to equal-opportunity eavesdropping.

That is a very bad idea

[gweihir]

Post-quantum encryption is _not_ ready for prime-time. At this time, it must be regarded as significantly less secure than conventional encryption. In addition, it is completely unclear whether QCs will ever amount to anything. The 12 error corrected QBITs that IBM proudly announced a few days back, are for example enough to factor RSA keys up to 15. That can be done manually with an Abacus. And that is after about 50 years or research. The transistor is about 80 years old at this time, and look what it has scaled too. For QCs it is unclear whether they will ever scale. Hence it is massively premature to rip out well-reviewed ciphers due to the "threat" of QCs and all it does is decrease security.

Re:

[stooo]

a sensible alternative would use both "old" and "new" algorithms in series (i.e. encrpt with one, then encrypt the result with the new one)
At least until proven.

Re:

[flink]

That's exactly what they are doing: EC crypto wrapped in a post-quantum cipher.

Re:

[gweihir]

You do know that EC is suspect as well, right?

Re:

[gweihir]

That is rather risky. Layering encryption is something that can decrease your security. At the very least you need to restrict yourself to stream-mode and encrypt in parallel. That comes with other potential problems though.

Your paranoia is making me paranoid.

[mmell]

You seem fairly bent on discouraging the adoption of quantum-resistant cryptography. If I assume you're not just being atruistic and expressing real (if not valid) concerns here, what's your game?

Re:

[gweihir]

My "game" is understanding how secure cryptology evolves. It requires a decade or two of expert review and attempts to break it. The "post quantum" stuff already has had some really ridiculous failures. And the attacker model is purely speculative. Hence I, rightfully, expect some other agenda here. It would not be the first time that NIST, in orders from the NSA, pushes backdoored or insecure cryptography.

You, on the other hand, seem to try to manipulate general opinion, by using classical PyOps (and marke

Re:

[crackerjack155]

That's exactly why the new NIST approved system uses both the new QC resistant key exchange AND the currently used ECDH key exchange.

That way, you need to break both the older proven key exchange method and the new QC resistant one.

Re:

[gweihir]

You really think they are going to run two key-exchanges?

Quantum or Climate

[groobly]

What is going to kill us sooner, quantum computing or climate change? Too close to call. Must take measures now.

Approved? Now I feel better

[Tony Isaac]

Using Chrome. Only Google can have all my data.