Google has announced that it is switching from KYBER to ML-KEM in its Chrome web browser as part of its ongoing efforts to protect against the risk posed by cryptographically compliant quantum computers (CRQC).
“Chrome Offers Key Share Prediction for Hybrid ML-KEM (Code Point 0x11EC)” by David Adrian, David Benjamin, Bob Beck, and Devon O’Brien of the Chrome Team said. “PostQuantumKeyAgreementEnabled flag and company policy will apply to both Kyber and ML-KEM.”
The changes are expected to take effect in Chrome version 131, which is available on track for release in early November 2024, Google noted that the two hybrid post-quantum key exchange approaches were fundamentally incompatible with each other, prompting it to abandon KYBER.
“Changes in the final version of ML-KEM make it incompatible with the previously deployed version of Kyber,” the company said. “As a result, the codepoint in TLS for hybrid post-quantum key exchange changes from 0x6399 for Kyber768+X25519 to 0x11EC for ML-KEM768+X25519.”
The development comes shortly after the US National Institute of Standards and Technology (NIST) published final versions of Art three new encryption algorithms — protect current systems from future attacks using quantum technology, the culmination of an eight-year effort by the agency.
Algorithms in question FIPS 203 (aka ML-KEM), FIPS 204 (aka CRYSTALS-Dilithium or ML-DSA), and FIPS 205 (aka Sphincs+ or SLH-DSA) is designed for general encryption and protection of digital signatures. The fourth algorithm, FN-DSA (originally called FALCON), is scheduled for completion this year.
ML-KEM, short for Module-Lattice-based Key-Encapsulation Mechanism, comes from the third-round version CYBER CRYSTALS KEM and can be used to establish a shared secret key between two parties communicating over a public channel.
Microsoft, for its part, is also gearing up for a post-quantum world, announcing an update to its SymCrypt cryptographic library with support for ML-KEM and eXtended Merkle Signature Scheme (XMSS).
“Adding support for post-quantum algorithms to the underlying crypto engine is the first step towards a quantum-secure world,” Windows maker saidstating that the transition to post-quantum cryptography (PQC) is a “complex, multi-year and iterative process” that requires careful planning.
The disclosure also follows the discovery of a cryptographic flaw in the Infineon SLE78, Optiga Trust M, and Optiga TPM security microcontrollers that could allow Elliptic Curve Digital Signature Algorithm (ECDSA) private keys to be extracted from YubiKey hardware authentication devices.
The cryptographic flaw in the Infineon-supplied library is believed to have gone undetected for 14 years and about 80 top-level Common Criteria certification evaluations.
Side Channel Attack, duplicated EUCLICS (CVE-2024-45678, CVSS Score: 4.9) by Thomas Roche of NinjaLab, affects all Infineon security microcontrollers that embed the cryptographic library and the following YubiKey devices –
- YubiKey Series 5 to 5.7 versions
- YubiKey 5 series FIPS to 5.7
- YubiKey 5 series CSPN to 5.7
- YubiKey Bio Series versions up to 5.7.2
- All security key versions up to 5.7
- YubiHSM versions 2 to 2.4.0
- YubiHSM 2 FIPS versions up to 2.4.0
“An attacker would need physical possession of the YubiKey, the security key or YubiHSM, knowledge of the accounts they want to target, and specialized hardware to carry out the necessary attack,” said Yubico, the company behind the YubiKey. said in a coordinated consultation.
“Depending on the use case, an attacker may also need additional knowledge, including a username, PIN, account password, or (YubiHSM) authentication key.”
But because existing YubiKey devices with vulnerable firmware versions cannot be updated – a deliberate design choice intended to maximize security and avoid introducing new vulnerabilities – they are forever vulnerable to EUCLEAK.
The company has since announced plans to drop support for Infineon’s cryptographic library in favor of its own cryptographic library as part of the YubiKey f5.7 and YubiHSM 2.4 firmware versions.
A similar side-channel attack against Google Titan’s security keys was demonstrated Roche and Victor Lomne in 2021, potentially allowing attackers to clone devices using an electromagnetic side channel in their embedded chip.
“The (EUCLEAK) attack requires physical access to the secure element (a few local electromagnetic side-channels, ie several minutes) to obtain the ECDSA secret key,” Roche. said. “In the case of the FIDO protocol, it allows you to clone a FIDO device.”
