Google is preparing the web for the transition to quantum-resistant cryptography. As part of this, Chrome will start supporting X25519Kyber768, a hybrid mechanism that combines two cryptographic algorithms for establishing symmetric secrets in TLS. This change is being rolled out to Chrome and Google servers and will be monitored for compatibility issues. The motivation behind this is the development of quantum computers, which could potentially break many types of asymmetric cryptography used today.
Quantum-resistant cryptography must be secure against both quantum and classical cryptanalytic techniques. It’s important to start protecting traffic today due to a type of attack called Harvest Now, Decrypt Later, where data is collected and stored today and later decrypted once cryptanalysis improves. Using X25519Kyber768 adds over a kilobyte of extra data to the TLS ClientHello message, which could cause compatibility issues in certain cases. Administrators can disable X25519Kyber768 in Chrome using the PostQuantumKeyAgreementEnabled enterprise policy if needed.
“It’s believed that quantum computers that can break modern classical cryptography won’t arrive for 5, 10, possibly even 50 years from now, so why is it important to start protecting traffic today? The answer is that certain uses of cryptography are vulnerable to a type of attack called Harvest Now, Decrypt Later, in which data is collected and stored today and later decrypted once cryptanalysis improves.”
Devon O’Brien, Technical Program Manager, Chrome security
Google’s Efforts Towards Quantum-Resistant Cryptography
Google is actively preparing the internet for the transition to quantum-resistant cryptography. This involves updating technical standards, testing and deploying new quantum-resistant algorithms, and collaborating with the wider ecosystem. As part of this process, Google’s web browser, Chrome, will start supporting X25519Kyber768 for establishing symmetric secrets in Transport Layer Security (TLS), beginning with Chrome 116.
X25519Kyber768 is a hybrid mechanism that combines the output of two cryptographic algorithms to create the session key used to encrypt the majority of the TLS connection. The two algorithms are X25519, an elliptic curve algorithm commonly used for key agreement in TLS, and Kyber-768, a quantum-resistant Key Encapsulation Method and a winner of the National Institute of Standards and Technology’s (NIST) Post-Quantum Cryptography (PQC) competition for general encryption.
To identify any incompatibilities with this change, Google is rolling it out to Chrome and to Google servers over both Transmission Control Protocol (TCP) and Quick UDP Internet Connections (QUIC), and monitoring for potential compatibility issues. Chrome may also use this updated key agreement when connecting to third-party server operators, such as Cloudflare, as they add support.
The Need for Quantum-Resistant Cryptography
Modern networking protocols like TLS use cryptography to protect information and validate the identity of websites. The strength of this cryptography is measured in terms of how difficult it would be for an attacker to violate these properties. As attacks advance and improve over time, it becomes crucial to move to stronger algorithms.
Quantum computers, capable of efficiently performing certain computations that are currently out of reach, pose a significant threat to many types of asymmetric cryptography used today. These cryptographic methods are considered strong against attacks using existing technology but do not protect against attackers with a sufficiently capable quantum computer.
Quantum-resistant cryptography must also be secure against both quantum and classical cryptanalytic techniques. This is not a theoretical concern: in 2022 and 2023, several leading candidates for quantum-resistant cryptographic algorithms were broken on inexpensive and commercially available hardware. Hybrid mechanisms like X25519Kyber768 offer the flexibility to deploy and test new quantum-resistant algorithms while ensuring that connections are still protected by an existing secure algorithm.
The Importance of Protecting Data in Transit Now
While quantum computers that can break modern classical cryptography may not arrive for several decades, it is important to start protecting traffic today. This is due to a type of attack called “Harvest Now, Decrypt Later,” where data is collected and stored today and later decrypted once cryptanalysis improves.
“There’s a common mantra in cryptography that attacks only get better, not worse, which highlights the importance of moving to stronger algorithms as attacks advance and improve over time.” –
Devon O’Brien, Technical Program Manager, Chrome security
In TLS, even though the symmetric encryption algorithms that protect the data in transit are considered safe against quantum cryptanalysis, the way that the symmetric keys are created is not. This means that the sooner Chrome can update TLS to use quantum-resistant session keys, the sooner it can protect user network traffic against future quantum cryptanalysis.
Deployment Considerations for Quantum-Resistant Cryptography
Using X25519Kyber768 adds over a kilobyte of extra data to the TLS ClientHello message due to the addition of the Kyber-encapsulated key material. Earlier experiments with CECPQ2 showed that the majority of TLS implementations are compatible with this size increase. However, in certain limited cases, TLS middleboxes failed due to improperly hardcoded restrictions on message size.
To assist with enterprises dealing with network appliance incompatibility while these new algorithms get rolled out, administrators can disable X25519Kyber768 in Chrome using the PostQuantumKeyAgreementEnabled enterprise policy, available starting in Chrome 116. This policy will only be offered as a temporary measure; administrators are strongly encouraged to work with the vendors of the affected products to ensure that bugs causing incompatibilities get fixed as soon as possible.
As a final deployment consideration, both the X25519Kyber768 and the Kyber specifications are drafts and may change before they are finalized, which may result in Chrome’s implementation changing as well.
“Using X25519Kyber768 adds over a kilobyte of extra data to the TLS ClientHello message due to the addition of the Kyber-encapsulated key material. Our earlier experiments with CECPQ2 demonstrated that the vast majority of TLS implementations are compatible with this size increase; however, in certain limited cases, TLS middleboxes failed due to improperly hardcoded restrictions on message size.”
Devon O’Brien, Technical Program Manager, Chrome security
Quick Summary
“Google is preparing for the advent of quantum computing by updating technical standards and testing new quantum-resistant algorithms, with Chrome set to support X25519Kyber768 for establishing secure connections. This move is crucial as quantum computers could potentially break modern cryptography, hence the need for quantum-resistant cryptography to secure data against future quantum cryptanalysis.”
- Google is preparing the web for the transition to quantum-resistant cryptography, updating technical standards, testing new algorithms, and collaborating with the wider ecosystem.
- Google Chrome will start supporting X25519Kyber768, a hybrid mechanism that combines two cryptographic algorithms, for establishing symmetric secrets in TLS from Chrome 116 version.
- X25519Kyber768 is a combination of X25519, an elliptic curve algorithm, and Kyber-768, a quantum-resistant Key Encapsulation Method and a winner of NIST’s PQC for general encryption.
- The change is being rolled out to Chrome and Google servers, with monitoring for potential compatibility issues. Third-party server operators, such as Cloudflare, may also use this updated key agreement as they add support.
- The move towards quantum-resistant cryptography is due to the development of quantum computers, which can perform certain computations that are currently unachievable. Current asymmetric cryptography is strong against existing technology but not against a sufficiently capable quantum computer.
- Quantum-resistant cryptography must be secure against both quantum and classical cryptanalytic techniques. Hybrid mechanisms like X25519Kyber768 allow the deployment and testing of new quantum-resistant algorithms while ensuring existing secure algorithms protect connections.
- The need to protect data now is due to the potential of a ‘Harvest Now, Decrypt Later’ attack, where data is collected and stored today and decrypted once cryptanalysis improves.
Read More.