Google Chrome Switches to ML-KEM for Post-Quantum Cryptography Defense

Google has stated that it would be transitioning from KYBER to ML-KEM in its Chrome web browser as part of its continuing efforts to guard against the danger presented by cryptographically relevant quantum computers (CRQCs).

"Chrome will offer a key share prediction for hybrid ML-KEM (codepoint 0x11EC)," David Adrian, David Benjamin, Bob Beck, and Devon O'Brien of the Chrome Team announced. "The PostQuantumKeyAgreementEnabled flag and enterprise policy will apply to both Kyber and ML-KEM."

The modifications are slated to take effect in Chrome version 131, which is on pace for release in early November 2024. Google remarked that the two hybrid post-quantum key exchange systems are effectively incompatible with each other, causing it to forsake KYBER.

"The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber," the business noted. "As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519."

The development comes shortly after the U.S. National Institute of Standards and Technology (NIST) published the final versions of the three new encryption algorithms to secure current systems against future attacks using quantum technologies, marking the culmination of an eight-year effort from the agency.

The methods in issue include FIPS 203 (aka ML-KEM), FIPS 204 (as CRYSTALS-Dilithium or ML-DSA), and FIPS 205 (aka Sphincs+ or SLH-DSA), which allow for universal encryption and safeguarding digital signatures. A fourth method, FN-DSA (formerly dubbed FALCON), is expected for finalization later this year.

ML-KEM, short for Module-Lattice-based Key-Encapsulation Mechanism, is developed from the round-three version of the CRYSTALS-KYBER KEM and may be used to create a shared secret key between two parties interacting over a public channel.

Microsoft, for its part, is also readying for a post-quantum future by introducing an upgrade to its SymCrypt cryptography library with support for ML-KEM and eXtended Merkle Signature Scheme (XMSS).

"Adding post-quantum algorithm support to the underlying crypto engine is the first step towards a quantum safe world," the Windows maker claimed, saying the move to post-quantum cryptography (PQC) is a "complex, multi-year and iterative process" that needs careful preparation.

The revelation also follows the discovery of a cryptographic issue in the Infineon SLE78, Optiga Trust M, and Optiga TPM security microcontrollers that might allow for the extraction of Elliptic Curve Digital Signature Algorithm (ECDSA) private keys from YubiKey hardware authentication devices.

The cryptographic weakness inside the Infineon-supplied library is estimated to have stayed unreported for 14 years and roughly 80 highest-level Common Criteria certification examinations.

The side-channel exploit, called EUCLEAK (CVE-2024-45678, CVSS score: 4.9) by NinjaLab's Thomas Roche, affects all Infineon security microcontrollers incorporating the cryptographic library and the following YubiKey devices -

YubiKey 5 Series versions previous to 5.7

YubiKey 5 FIPS Series previous to 5.7 YubiKey 5 CSPN Series prior to 5.7

YubiKey Bio Series versions before to 5.7.2 Security Key Series all versions prior to 5.7

YubiHSM 2 versions previous to 2.4.0

YubiHSM 2 FIPS versions previous to 2.4.0

"The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack," Yubico, the firm behind YubiKey, warned in a unified alert.

"Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or [YubiHSM] authentication key."

But since current YubiKey devices with vulnerable firmware versions can't be upgraded — an intended design decision designed to optimize security and prevent introducing new vulnerabilities - they are forever exposed to EUCLEAK.

The business has recently announced intentions to deprecate support for Infineon's cryptographic library in favor of its own cryptographic library as part of firmware versions YubiKey f5.7 and YubiHSM 2.4.

The results follow a similar side-channel assault on Google Titan security keys that was disclosed by Roche and Victor Lomne in 2021, possibly enabling hostile actors to clone the devices by exploiting an electromagnetic side-channel in the chip included in them.

"The [EUCLEAK] attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract the ECDSA secret key," Roche explained. "In the case of the FIDO protocol, this allows to create a clone of the FIDO device."