Google has announced that it will switch from KYBER to ML-KEM in its Chrome web browser as part of its ongoing efforts to defend against risks posed by cryptographically relevant quantum computers (CRQC).
“Chrome offers key share prediction for hybrid ML-KEM (codepoint 0x11EC),” said David Adrian, David Benjamin, Bob Beck, and Devon O’Brien from the Chrome team. “The PostQuantumKeyAgreementEnabled flag and enterprise policies apply to both Kyber and ML-KEM.”
The change is expected to take effect in Chrome version 131, scheduled for release in early November 2024. Google noted that the two hybrid quantum cryptography key exchange approaches are inherently incompatible, which led it to abandon KYBER.
“Changes to the final version of ML-KEM have made it incompatible with previously deployed Kyber versions,” the company said. “As a result, the TLS code point for the hybrid post-quantum key exchange will change from 0x6399 in Kyber768+X25519 to 0x11EC in ML-KEM768+X25519.”
The development comes on the heels of the National Institute of Standards and Technology (NIST) publishing the final versions of three new encryption algorithms to protect current systems against future attacks using quantum technology, marking the culmination of eight years of work by the lab.
The algorithms in question are FIPS 203 (aka ML-KEM), FIPS 204 (aka CRYSTALS-Dilithium or ML-DSA), and FIPS 205 (aka Sphincs+ or SLH-DSA), which are intended for general encryption and digital signature protection. A fourth algorithm, FN-DSA (originally called FALCON), is due to be finalized later this year.
ML-KEM stands for Modular Lattice-Based Key Encapsulation Mechanism and is derived from the third-round version of CRYSTALS-KYBER KEM, which can be used to establish a shared secret key between two parties communicating over a public channel.
Meanwhile, Microsoft is preparing for the coming of the quantum era by announcing updates to its SymCrypt cryptography library that will add support for ML-KEM and the eXtended Merkle Signature Scheme (XMSS).
“Adding support for post-quantum algorithms to our underlying cryptographic engine is the first step towards a quantum-resistant world,” the Windows maker said, noting that the transition to post-quantum cryptography (PQC) is a “complex, multi-year, iterative process” that requires careful planning.
This disclosure follows the discovery of cryptographic flaws in Infineon SLE78, Optiga Trust M, and Optiga TPM security microcontrollers that could allow extraction of Elliptic Curve Digital Signature Algorithm (ECDSA) private keys from YubiKey hardware authentication devices.
The cryptographic flaws in the libraries provided by Infineon are believed to have gone unnoticed for 14 years and around 80 Common Criteria certification evaluations, the highest level.
Side channel attacks are Euclear (CVE-2024-45678, CVSS score: 4.9) was filed by Thomas Roche of NinjaLab and affects all Infineon security microcontrollers with embedded cryptographic libraries and the following YubiKey devices:
- YubiKey 5 series versions prior to 5.7
- YubiKey 5 FIPS Series 5.7 and earlier
- YubiKey 5 CSPN Series 5.7 and earlier
- YubiKey Bio Series versions prior to 5.7.2
- Security Key Series All versions prior to 5.7
- YubiHSM 2 versions prior to 2.4.0
- YubiHSM 2 FIPS versions prior to 2.4.0
“An attacker would need physical possession of a YubiKey, security key, or YubiHSM, knowledge of the targeted account, and specialized equipment to carry out the necessary attack,” Yubico, the company that makes the YubiKey, said in the joint advisory.
“Depending on the use case, an attacker may also require additional knowledge such as a username, PIN, account password, or (YubiHSM) authentication key.”
However, existing YubiKey devices with vulnerable firmware versions cannot be updated (an intentional design choice to maximize security and avoid introducing new vulnerabilities), making them permanently vulnerable to EUCLEAK.
The company subsequently announced plans to drop support for Infineon’s cryptographic libraries in favor of its own cryptographic libraries as part of firmware versions YubiKey f5.7 and YubiHSM 2.4.
A similar side-channel attack against the Google Titan Security Key was demonstrated by Roche and Victor Lomne in 2021, potentially allowing a malicious attacker to exploit an electromagnetic side channel in a chip embedded in the device to clone the device.
“The (EUCLEAK) attack requires physical access to the secure element (acquiring a local electromagnetic side channel a few times, i.e. a few minutes, is sufficient) in order to extract the ECDSA private key,” Roche said. “In the case of FIDO protocols, this allows cloning of a FIDO device.”
