Google Chrome to shield encryption keys from promised quantum computers
QC crypto-cracking coming in 5, 10, maybe 50 years, so act … now?
Google has started deploying a hybrid key encapsulation mechanism (KEM) to protect the sharing of symmetric encryption secrets during the establishment of secure TLS network connections.
Devon O'Brien, technical program manager for Chrome security, explained on Thursday that starting in Chrome 116 – due August 15 – Google's browser will include support for X25519Kyber768, an alphanumeric salad that desperately needs a catchy name.
The unwieldy term is a concatenation of X25519, an elliptic curve algorithm that's currently used in the key agreement process for establishing a secure TLS connection, and Kyber-768, a quantum-resistant KEM that last year won NIST's blessing for post-quantum cryptography.
A KEM is a way to establish a shared secret value between two people so they can communicate confidentiality using symmetric key encryption. It's a precursor ritual to secure information exchange over a network. Unless you're a cryptographer or just love math, you're probably fine not knowing the technical details.
Waiting for that fusion-powered quantum computer on Mars
Google is deploying a hybrid version of these two algorithms in Chrome so the web goliath, users of its technology, and other network providers like Cloudflare, can test quantum-resistant algorithms while maintaining current protections.
The Chocolate Factory is doing so because some day, many very bright people believe, quantum computers will be able to break at least some legacy encryption schemes. That belief is what motivated US technical agency NIST in 2016 to call for future-proof encryption algorithms.
Useful quantum computers will be impossible without error correctionREAD MORE
Quantum computers, though much discussed, have yet to demonstrate much practical value due to the need for extensive error correction and many times more qubits.
Google in 2019 said it had conducted an experiment that demonstrated quantum supremacy – the idea that a quantum computer could outperform a classical one. But IBM researchers at the time said the same experiment "can be performed on a classical system in 2.5 days and with far greater fidelity." So it was not much of a win for quantum boosters.
In June this year, however, IBM researchers published a study in Nature that claimed a 127-qubit processor set loose on a particular physics problem can, with sufficient error mitigation, outperform a classical computer. If confirmed by other researchers, the results suggest quantum computers have a path toward relevancy.
"It’s believed that quantum computers that can break modern classical cryptography won't arrive for 5, 10, possibly even 50 years from now, so why is it important to start protecting traffic today?" said O'Brien.
"The answer is that certain uses of cryptography are vulnerable to a type of attack called Harvest Now, Decrypt Later, in which data is collected and stored today and later decrypted once cryptanalysis improves."
O'Brien says that while symmetric encryption algorithms used to defend data traveling on networks are considered safe from quantum cryptanalysis, the way the keys get negotiated is not. By adding support for a hybrid KEM, Chrome should provide a stronger defense against future quantum attacks.
Google's early deployment of the technology also has practical value to network admins because the new hybrid KEM scheme adds more than a kilobyte of extra data to the TLS ClientHello message. When the internet giant conducted a similar experiment with CECPQ2, some TLS middleboxes couldn't handle the traffic because they had a hardcoded limit on message size.
"I think this is a nice development," said Matthew Green, a cryptography professor at Johns Hopkins University, in an email to The Register.
Any encrypted messages sent today could be stored until those computers are eventually built. By adding post-quantum encryption to today’s connections, that threat is eliminated
"Quantum computers are probably at least 15 years away, if not more. But in principle any encrypted messages sent today could be stored until those computers are eventually built.
"By adding post-quantum encryption to today’s connections, that threat is eliminated. Plus this gives us a very good opportunity to test out some of these new encryption systems long before they’re really needed."
Rebecca Krauthamer, co-founder and chief product officer at QuSecure, told The Register in an email that while this technology sounds futuristic, it's useful and necessary today for two reasons.
"First, data is being intercepted today for later decryption in what is referred to as a harvest now decrypt later attack," she said.
"There are many forms of data shared via browser-based communications that are valuable now, and will continue to be valuable into the future, including private email communications, electronic health records, bank account information, and more."
- A lone Nvidia GPU speeds past the physics-straining might of a quantum computer – in these apps at least
- Russia's tiny quantum computer is (probably) nothing to worry about
- Quantum computing is a different kind of computing, says AWS
- DARPA's quantum computing is powered by ... FOMO
Krauthamer said data that needs to be safeguarded in the future should be protected with quantum resilient cryptography today. She also pointed out that President Biden last year signed H.R.7535, The Quantum Computing Cybersecurity Preparedness Act, which requires US government agencies to begin moving toward quantum resilient cryptography.
"Google is making a fantastic step toward enabling users to protect their communications," she said.
"At QuSecure we are working from a parallel angle allowing organizations and governments to enable quantum resilient encryption for their own data and that of their users. We will sometimes hear our clients asking if it's already too late to deploy this kind of technology to protect their data if some of it has already been harvested. The answer is absolutely not, but we cannot wait any longer."
There was no press release when the team at Bletchley Park cracked the Enigma
Second, said Krauthamer, the arrival of capable quantum computers should not be thought of as a specific, looming date, but as something that will arrive without warning.
"There was no press release when the team at Bletchley Park cracked the Enigma code, either," she said.
"Revealing these developments would have shifted the balance of power. If you've created an incredibly powerful tool, you don't show your hand, whether you're working for good or bad. This principle is going to apply to whoever achieves a cryptographically relevant quantum computer. It's a game where keeping the upper hand means keeping secrets.
"This means that we can’t know when it will come online, but it will likely happen without our knowledge, and it’s imperative we deploy this defensive technology today to not be caught flat footed." ®