Chrome to adopt NIST-approved post quantum encryption on desktop

 In this photo illustration, a silhouetted woman holds a smartphone with the Google Chrome logo displayed on the screen.
(Image credit: Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

Google is set to upgrade its post-quantum encryption protection on its web browser desktop with the new Chrome 131 release.

This comes as the National Institute of Standards and Technology (NIST) officially released the first three quantum-resistant approved algorithms on August 13, 2024. The Tech giant first introduced hybrid quantum-safe encryption back in April based on the experimental Kyber TLS key exchange system and has now decided to switch to the new ML-KEM standard.

While the full implementation of quantum computing being a ways off still – experts estimate Q-day to happen between five and 10 years for now – it's just a matter of time before current encryption methods become obsolete. Hackers know that and they've already begun executing what's known as "store now, decrypt later (SNDL) attacks." This is why it is crucial for all software providers using encryption to kick off the post-quantum transition as soon as possible.  

Switching to the ML-KEM algorithm  

After over a decade of testing more than 80 algorithms, NIST released the first three quantum-resistant encryption standards last month which are designed for specific tasks.

The Module Lattice Key Encapsulation Mechanism (ML-KEM) is the primary standard for cryptographic key exchanges. This is essentially the process of protecting the exchange of information across a public network like in the case of web browsers or the best VPN apps. The ML-KEM algorithm is based on what was previously known as CRYSTALS-Kyber, exactly what Chrome adopted back in April. 

As Google explains in a blog post: "The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber.

"We do not want to regress any clients’ post-quantum security, so we are waiting until Chrome 131 to make this change so that server operators have a chance to update their implementations."

Quantum computing concept. Digital communication network. Technological abstract.

(Image credit: Getty Images)

Why do we need post-quantum encryption?

For the less techy out there, encryption is the process of scrambling data into an unreadable form to make sure that only the sender and receiver can access the information.

For instance, today's VPN protocols often leverage RSA-based key exchanges to ensure only you and your receiver can encrypt and decrypt the information. Web browsers like Google Chrome use a similar methods based on TLS key exchange to secure your data in transit.

As mentioned earlier, today's encryption is set to eventually lose its effectiveness due to quantum computers's ability to process computations that stump current machines, within minutes. If you want some more technical details on how quantum computing breaks encryption, I suggest you watch the explainer below from Veritasium:

The biggest takeaway here is that the cryptographic world must get ready to fight back against new security threats coming from a mass adoption of quantum computers.

The NIST standardized algorithms come, in fact, with instructions on how to implement them and their intended uses to better support developers to embark on their PQ transition.

At the time of writing, just a handful of VPN providers have already embraced the new era of VPN security, while more companies are working to upgrade their protections. Secure messaging app Signal also added post-quantum encryption last September. On July 2023, secure email provider Tuta (formerly known as Tutanota) also shared its plans to bring post-quantum cryptography to the cloud with its PQDrive project.

We expect more and more developers to join the PQ revolution. As experts at NIST pointed out, in fact, "full integration will take time." 

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com