Google has announced that it will be switching from KYBER to ML-KEM in its Chrome web browser as part of its ongoing efforts to defend against the risk posed by cryptographically relevant quantum computers (CRQCs). The change is expected to take effect in Chrome version 131, which is on track for release in early November 2024.
The company noted that the two hybrid post-quantum key exchange approaches are essentially incompatible with each other, prompting it to abandon KYBER. “The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber,” Google said. As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519 to 0x11EC for ML-KEM768+X25519.
This development comes shortly after the US National Institute of Standards and Technology (NIST) published the final versions of three new encryption algorithms to secure current systems against future attacks using quantum technologies. Microsoft is also preparing for a post-quantum world by announcing an update to its SymCrypt cryptographic library with support for ML-KEM and eXtended Merkle Signature Scheme (XMSS).
In related news, a cryptographic flaw has been discovered in the Infineon SLE78, Optiga Trust M, and Optiga TPM security microcontrollers that could allow for the extraction of Elliptic Curve Digital Signature Algorithm (ECDSA) private keys from YubiKey hardware authentication devices. The company behind YubiKey, Yubico, announced plans to deprecate support for Infineon’s cryptographic library in favor of its own cryptographic library as part of firmware versions YubiKey f5.7 and YubiHSM 2.4.
Source: https://thehackernews.com/2024/09/google-chrome-switches-to-ml-kem-for.html?m=1