In a strategic maneuver to bolster defenses against the emerging threat of cryptographically potent quantum computers, Google has declared its transition from KYBER to ML-KEM within its Chrome web browser. This move underscores the company’s commitment to securing digital communications in an era where quantum technologies pose an escalating risk.
“Chrome will introduce a key share prediction for the hybrid ML-KEM (codepoint 0x11EC),” stated the Chrome Team members David Adrian, David Benjamin, Bob Beck, and Devon O’Brien. “Both Kyber and ML-KEM will be governed by the PostQuantumKeyAgreementEnabled flag and enterprise policy.”
This update is slated for inclusion in Chrome version 131, anticipated for release in early November 2024. Google highlighted that the two hybrid post-quantum key exchange mechanisms are fundamentally discordant, necessitating the phase-out of KYBER.
“The final iteration of ML-KEM renders it incompatible with the previously utilized Kyber version,” the company explained. “Consequently, the TLS codepoint for hybrid post-quantum key exchange will shift from 0x6399 for Kyber768+X25519 to 0x11EC for ML-KEM768+X25519.”
This announcement follows the recent publication by the U.S. National Institute of Standards and Technology (NIST) of the conclusive versions of three new encryption algorithms designed to fortify current systems against future quantum-based assaults, concluding an extensive eight-year endeavor.
The encryption algorithms introduced are FIPS 203 (known as ML-KEM), FIPS 204 (referred to as CRYSTALS-Dilithium or ML-DSA), and FIPS 205 (designated as Sphincs+ or SLH-DSA), which are intended for general encryption and safeguarding digital signatures. A fourth algorithm, FN-DSA (originally FALCON), is anticipated for finalization later this year.
ML-KEM, short for Module-Lattice-based Key-Encapsulation Mechanism, is derived from the third-round version of CRYSTALS-KYBER KEM and facilitates the establishment of a shared secret key between communicating parties over a public channel.
In parallel, Microsoft is also preparing for a post-quantum landscape, announcing an upgrade to its SymCrypt cryptographic library to incorporate support for ML-KEM and the eXtended Merkle Signature Scheme (XMSS).
“Integrating post-quantum algorithm support into the foundational cryptographic engine is a crucial initial step towards a quantum-secure future,” Microsoft stated, emphasizing that the shift to post-quantum cryptography (PQC) is a “complex, multi-year, and iterative process” requiring meticulous planning.
This update comes on the heels of a discovered cryptographic vulnerability in Infineon SLE78, Optiga Trust M, and Optiga TPM security microcontrollers, which could potentially allow for the extraction of Elliptic Curve Digital Signature Algorithm (ECDSA) private keys from YubiKey authentication devices.
The flaw within Infineon’s cryptographic library is believed to have remained undetected for 14 years and through approximately 80 high-level Common Criteria certification evaluations.
The side-channel attack, named EUCLEAK (CVE-2024-45678, CVSS score: 4.9) by NinjaLab’s Thomas Roche, impacts all Infineon security microcontrollers embedded with the cryptographic library and the following YubiKey devices:
- YubiKey 5 Series versions prior to 5.7
- YubiKey 5 FIPS Series versions prior to 5.7
- YubiKey 5 CSPN Series versions prior to 5.7
- YubiKey Bio Series versions prior to 5.7.2
- Security Key Series all versions prior to 5.7
- YubiHSM 2 versions prior to 2.4.0
- YubiHSM 2 FIPS versions prior to 2.4.0
“An attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, along with knowledge of the targeted accounts and specialized equipment for executing the attack,” Yubico, the manufacturer of YubiKey, detailed in a coordinated advisory.
“Depending on the scenario, the attacker may also require additional information, such as usernames, PINs, account passwords, or [YubiHSM] authentication keys.”
Given that existing YubiKey devices with vulnerable firmware cannot be updated—an intentional design choice to maximize security and avoid new vulnerabilities—they remain perpetually exposed to EUCLEAK.
The company has announced plans to phase out support for Infineon’s cryptographic library, opting instead for its proprietary cryptographic library in firmware versions YubiKey 5.7 and YubiHSM 2.4.
A similar side-channel vulnerability affecting Google Titan security keys was demonstrated by Roche and Victor Lomne in 2021, which could potentially allow adversaries to clone the devices by exploiting an electromagnetic side-channel in the embedded chip.
“EUCLEAK requires physical access to the secure element (a few local electromagnetic side-channel acquisitions, i.e., a few minutes, are sufficient) to extract the ECDSA secret key,” Roche stated. “In the context of the FIDO protocol, this facilitates the creation of a clone of the FIDO device.”