Google is set to upgrade its post-quantum encryption protection on its web browser desktop with the new Chrome 131 release.
This comes as the National Institute of Standards and Technology (NIST) officially released the first three quantum-resistant approved algorithms on August 13, 2024. The Tech giant first introduced hybrid quantum-safe encryption back in April based on the experimental Kyber TLS key exchange system and has now decided to switch to the new ML-KEM standard.
While the full implementation of quantum computing being a ways off still – experts estimate Q-day to happen between five and 10 years for now – it's just a matter of time before current encryption methods become obsolete. Hackers know that and they've already begun executing what's known as “store now, decrypt later (SNDL) attacks.” This is why it is crucial for all software providers using encryption to kick off the post-quantum transition as soon as possible.
Switching to the ML-KEM algorithm
After over a decade of testing more than 80 algorithms, NIST released the first three quantum-resistant encryption standards last month which are designed for specific tasks.
The Module Lattice Key Encapsulation Mechanism (ML-KEM) is the primary standard for cryptographic key exchanges. This is essentially the process of protecting the exchange of information across a public network like in the case of web browsers or the best VPN apps. The ML-KEM algorithm is based on what was previously known as CRYSTALS-Kyber, exactly what Chrome adopted back in April.
As Google explains in a blog post: “The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber.
“We do not want to regress any clients’ post-quantum security, so we are waiting until Chrome 131 to make this change so that server operators have a chance to update their implementations.”
Why do we need post-quantum encryption?
For the less techy out there, encryption is the process of scrambling data into an unreadable form to make sure that only the sender and receiver can access the information.
For instance, today's VPN protocols often leverage RSA-based key exchanges to ensure only you and your receiver can encrypt and decrypt the information. Web browsers like Google Chrome use a similar methods based on TLS key exchange to secure your data in transit.
As mentioned earlier, today's encryption is set to eventually lose its effectiveness due to quantum computers's ability to process computations that stump current machines, within minutes. If you want some more technical details on how quantum computing breaks encryption, I suggest you watch the explainer below from Veritasium:
The biggest takeaway here is that the cryptographic world must get ready to fight back against new security threats coming from a mass adoption of quantum computers.
The NIST standardized algorithms come, in fact, with instructions on how to implement them and their intended uses to better support developers to embark on their PQ transition.
At the time of writing, just a handful of VPN providers have already embraced the new era of VPN security, while more companies are working to upgrade their protections. Secure messaging app Signal also added post-quantum encryption last September. On July 2023, secure email provider Tuta (formerly known as Tutanota) also shared its plans to bring post-quantum cryptography to the cloud with its PQDrive project.
We expect more and more developers to join the PQ revolution. As experts at NIST pointed out, in fact, “full integration will take time.”
