Google is set to update its post-quantum encryption protection in its desktop web browser with the new Chrome 131 version.
This comes as the National Institute of Standards and Technology (NIST) officially released the first three approved quantum-resistant algorithms on August 13, 2024. The tech giant first introduced quantum-safe hybrid encryption in April based on the experimental Kyber TLS key exchange system and has now decided to switch to the new ML-KEM standard.
Although full implementation of quantum computing is still a long way off (experts estimate that Q-day will occur within five to ten years), it is only a matter of time before current encryption methods become obsolete. Hackers know this and have already begun executing what are known as “store now, decrypt later” (SNDL) attacks. That is why it is crucial for all software vendors that use encryption to begin the post-quantum transition as soon as possible.
Switching to ML-KEM algorithm
After more than a decade of testing more than 80 algorithms, NIST last month released the first three quantum-resistant encryption standards designed for specific tasks.
Modular Network Key Encapsulation Mechanism (ML-KEM) is the leading standard for cryptographic key exchanges. It’s essentially the process of securing the exchange of information over a public network, such as in web browsers or the best VPN apps. The ML-KEM algorithm is based on what was previously known as CRYSTALS-Kyber, exactly what Chrome adopted in April.
As Google explains in a blog post: “Changes in the final version of ML-KEM make it incompatible with the previously deployed version of Kyber.
“We don't want to back off post-quantum security for any client, so we're waiting until Chrome 131 to make this change so server operators have a chance to update their implementations.”
Why do we need post-quantum encryption?
For the less tech-savvy, encryption is the process of scrambling data into an unreadable format to ensure that only the sender and receiver can access the information.
For example, today's VPN protocols typically leverage RSA-based key exchanges to ensure that only you and your recipient can encrypt and decrypt information. Web browsers like Google Chrome use similar methods based on TLS key exchanges to protect your data in transit.
As mentioned above, current encryption is destined to lose its effectiveness due to the ability of quantum computers to process calculations that challenge current machines in a matter of minutes. If you want more technical details on how quantum computing breaks encryption, I suggest you watch the explanation below from Veritasium:
The main conclusion that can be drawn from this is that the crypto world must prepare to fight against the new security threats that will arise from the mass adoption of quantum computers.
NIST standardized algorithms do, in fact, come with instructions on how to implement them and their intended uses to better help developers embark on their transition to PQ.
At the time of writing, only a handful of VPN providers have already embraced the new era of VPN security, while more companies are working to improve their protections. Secure messaging app Signal also added post-quantum encryption last September. In July 2023, secure email provider Tuta (formerly known as Tutanota) also shared its plans to bring post-quantum cryptography to the cloud with its PQDrive project.
We expect more and more developers to join the PQ revolution. As NIST experts noted, in fact, “full integration will take time.”
