Chrome to Switch From Kyber to ML-KEM for Encryption

Google has announced that will switch from KYBER to ML-KEM in its Chrome web browser, as part of its ongoing efforts to defend against the risks posed by cryptographically relevant quantum computers (CRQC).

Google Chrome and the new encryption against quantum computers

“Chrome will offer key sharing prediction for hybrid ML-KEM (code 0x11EC)“, they have declared David Adrian, David Benjamin, Bob Beck and Devon O’Brien from the Chrome team. “The PostQuantumKeyAgreementEnabled flag is the company policy will apply to both Kyber and ML-KEM“.

The changes should go into effect in Chrome version 131, expected for release in early November 2024. Google noted that the two hybrid post-quantum key exchange approaches are essentially incompatible with each other, leading to the decision to abandon KYBER.

“Changes in the final release of ML-KEM make it incompatible with the previously distributed version of Kyber“, the company said. “As a result, the TLS cipher for the hybrid post-quantum key exchange is moving from 0x6399 for Kyber768+X25519 to 0x11EC for ML-KEM768+X25519.”

Chrome and the New Frontiers of Anti-Quantum Computer Cryptography

The development comes shortly after the U.S. National Institute of Standards and Technology (NIST) published the final versions of the three new algorithms of cryptography to protect current systems against future attacks based on quantum technologies, marking the conclusion of an eight-year effort by the agency.

The algorithms in question are FIPS 203 (also known as ML-KEM), FIPS 204 (also known as CRYSTALS-Dilithium or ML-DSA), and FIPS 205 (also known as Sphincs+ or SLH-DSA), intended for general encryption and digital signature protection; a fourth algorithm, FN-DSA (originally called FALCON), is scheduled for completion by the end of the year.

ML-KEM, short for “Module-Lattice-based Key-Encapsulation Mechanism”, is derived from the third version of the CRYSTALS-KYBER KEM and can be used to establish a shared secret key between two parties communicating over a public channel.

Not just Google Chrome, Microsoft also defends itself

Microsoft, for its part, is preparing for a post-quantum world by announcing an update to its SymCrypt cryptography library with support for ML-KEM and the Extended Merkle Signature Scheme (XMSS).

“Adding support for post-quantum algorithms to the core cryptographic engine is the first step towards a quantum-safe world“, has declared Windows maker, saying the transition to post-quantum cryptography (PQC) is a “complex, multi-year and iterative process” which requires careful planning.

The disclosure also follows the discovery of a cryptographic vulnerability in Infineon SLE78, Optiga Trust M, and Optiga TPM security microcontrollers that could allow the extraction of Elliptic Curve Digital Signature Algorithm (ECDSA) private keys from YubiKey hardware authentication devices.

Cryptographic vulnerability is believed to be within the library provided by Infineon remained unnoticed for 14 years and approximately 80 Common Criteria higher level certification assessments.

In addition to Chrome, encryption is also being implemented on other programs

The side channel attack, called EUCLEAKS (CVE-2024-45678, CVSS score: 4.9) from Thomas Roche of NinjaLab, affects all Infineon secure microcontrollers incorporating the cryptographic library and the following YubiKey devices:

• YubiKey 5 Series Versions Prior to 5.7
• YubiKey 5 Series FIPS versions prior to 5.7
• YubiKey 5 Series CSPN versions prior to 5.7
• YubiKey Bio versions prior to 5.7.2
• All versions of Security Key prior to 5.7
• YubiHSM 2 versions prior to 2.4.0
• YubiHSM 2 FIPS versions prior to 2.4.0

“The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they wish to attack, and specialized equipment to carry out the necessary attack.“, has declared Yubico, the company behind YubiKey, in a coordinated advisory, adding “Depending on the use case, the attacker may also request additional information, including username, PIN, account password, or authentication key. [YubiHSM].“

However, because existing YubiKey devices with vulnerable firmware versions cannot be updated (an intentional design choice to maximize security and avoid introducing new vulnerabilities) they remain permanently susceptible to the EUCLEAK attack.

The company has announced plans to deprecate support for Infineon’s cryptographic library in favor of its own cryptographic library as part of the YubiKey f5.7 and YubiHSM 2.4 firmware releases.

A similar side-channel attack against the Google Titan Security Keys was demonstrated by Roche and Victor Lomne in 2021, potentially allowing cybercriminals to clone devices by exploiting an electromagnetic side channel in the integrated chip.

“The attack [EUCLEAK] requires physical access to the secure element (a few local acquisitions of the electromagnetic side channel, i.e. a few minutes, are enough to extract the ECDSA secret key)“, has declared Rock. “In the case of the FIDO protocol, this allows you to create a clone of the FIDO device.”