Google is set to improve post-quantum encryption security on its desktop web browser with the upcoming release of Chrome 131.
This comes as the National Institute of Standards and Technology (NIST) officially released the first three quantum-resistant approved algorithms on August 13, 2024. The tech giant first introduced hybrid quantum-safe encryption based on the experimental Kyber TLS key exchange system in April and has now decided to switch to the new ML-KEM standard.
While full implementation of quantum computing is still a long way off – experts estimate that Q-Day will take between five and 10 years – it’s only a matter of time before current encryption methods become obsolete. Hackers know this, and have already begun performing what are known as “store now, decrypt later (SNDL) attacks.” That’s why it’s crucial for all software vendors using encryption to start the post-quantum transition as soon as possible.
Switching to the ML-KEM algorithm
After testing more than 80 algorithms for more than a decade, NIST last month published the first three quantum-resistant encryption standards designed for specific tasks.
The Module Lattice Key Encapsulation Mechanism (ML-KEM) is the primary standard for cryptographic key exchange. This is essentially the process of protecting the exchange of information over a public network, such as in the case of web browsers or the best VPN apps. The ML-KEM algorithm is based on what was formerly known as CRYSTALS-Kyber, which is exactly what Chrome adopted in April.
As Google explains in a blog post: “The changes in the final version of ML-KEM make it incompatible with the previously deployed version of Kyber.
“We don’t want to degrade the post-quantum security of clients, so we’re waiting until Chrome 131 to push this change so server administrators can update their implementations.”
Why do we need post-quantum encryption?
For the less technical among us, encryption is the process of converting data into an unreadable form so that only the sender and receiver can access the information.
For example, today’s VPN protocols often use RSA-based key exchanges to ensure that only you and your recipient can encrypt and decrypt information. Web browsers like Google Chrome use similar methods based on TLS key exchange to secure your data in transit.
As mentioned earlier, today’s encryption will eventually lose its effectiveness due to the ability of quantum computers to process calculations that would bog down current machines in minutes. If you want more technical details on how quantum computing breaks encryption, I recommend checking out Veritasium’s explanation below:
The main lesson we can learn from this is that the crypto community must prepare itself to combat new security threats arising from the mass adoption of quantum computers.
NIST’s standardized algorithms come with instructions on how to implement them and their intended use, to better support developers in the PQ transition.
At the time of writing, only a handful of VPN providers have embraced the new era of VPN security, while more companies are working to upgrade their protections. Secure messaging app Signal also added post-quantum encryption last September . In July 2023, secure email provider Tuta (formerly known as Tutanota) also shared its plans to bring post-quantum cryptography to the cloud with its PQDrive project.
We expect more and more developers to join the PQ revolution. As experts at NIST pointed out“Full integration will take time.”