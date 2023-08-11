Google has announced its intention to incorporate support for quantum-resistant encryption algorithms in its Chrome browser, beginning with version 116. The inclusion of X25519Kyber768, a hybrid encryption algorithm, will allow for the establishment of symmetric secrets in TLS (Transport Layer Security). X25519Kyber768 combines the output of X25519 and Kyber-768 to create a robust session key for encrypting TLS connections. This move is part of an effort to address future cyber threats posed by the rise of quantum computing.

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) selected Kyber as a candidate for general encryption due to its ability to combat potential quantum computing attacks. The algorithm has already been adopted by major industry players such as Cloudflare, Amazon Web Services, and IBM. X25519Kyber768 offers a flexible method for deploying and testing new quantum-resistant algorithms while still ensuring the protection of connections through existing secure algorithms.

Although it may take several years or even decades for quantum computers to pose significant risks, certain encryption methods are vulnerable to an attack known as “harvest now, decrypt later.” This attack involves collecting encrypted data with the hope of decrypting it later when technology breakthroughs make cryptanalysis easier. Quantum computers have the capacity to perform computations that can easily overcome current cryptographic implementations.

The update to Chrome aims to use quantum-resistant session keys in TLS, allowing for the protection of user network traffic against future quantum cryptanalysis. Enterprises experiencing network appliance incompatibility issues following the rollout of these changes can temporarily disable X25519Kyber768 in Chrome using the PostQuantumKeyAgreementEnabled enterprise policy, available from Chrome 116 onwards.

In addition to this development, Google has switched the release cadence of Chrome security updates from bi-weekly to weekly. This decision aims to minimize the attack window and address the growing patch gap problem that enables threat actors more time to exploit published n-day and zero-day vulnerabilities.

By releasing security fixes as soon as possible, Google hopes to limit the potential for bad actors to develop and apply exploits against users who have yet to receive the necessary patches.