X25519MLKEM768 Post Quantum Secure Key

[Sampei.Nihira]

I would like to inform MSFN members that Chrome 124  (and Edge 124) has enabled the "X25519Kyber768Draft00" Hybrid Post Quantum Key + QUIC to default.

It will almost certainly be enabled by default in future versions of Firefox as well.
In Firefox Nightly it is already at default.

I remind you that QUIC is already enabled by default in Firefox.

Test:

https://pq.cloudflareresearch.com/

Some problems:

https://www.bleepingcomputer.com/news/security/google-chromes-new-post-quantum-cryptography-may-break-tls-connections/

I have been experimenting with the Hybrid Post Quantum Key since Jan. 19, 2024, even in Firefox, and have yet to detect any problems loading websites.

I also performed CPU + Layout/sec measurements of website loading with the Hybrid Post Quantum Secure Key + QUIC.

MSFN members who do not like the Hybrid Post Quantum Key enabled + QUIC are required to set the flags to the "disabled" value.

 

 

Edited October 29, 2024 by Sampei.Nihira

[D.Draker]

4 hours ago, Sampei.Nihira said:

I have been experimenting with the Hybrid Post Quantum Key since Jan. 19, 2024

Oh, not again! Kyber has been obsolete and outdated for ages, I warned you, you don't listen, I honestly don't understand why. D.Draker never gives bad advice.

On the link below, you can enjoy the precise instructions on bruteforcing that weak "encryption" method.

"Challenge 1: Breaking baby Kyber."

"After a couple of hours (or way less depending on your configurations), we obtain the following solution..." Decrypting the communications:

"From this point, having recovered the four server private keys (one for each communication), the rest of the challenge is straightforward. Having access to the ciphertext from the pcap file, we can use the OQS_KEM_kyber_NS_decaps function to recover the 32-byte shared secret. Here is the example code for the case NS5"

https://blog.quarkslab.com/sandboxaq-ctf-2024.html

 

[Dixel]

They bumped up to the minimum demand to Chrome/Edge/Firefox 124, lol.

Basically, update your browser every two weeks now.

Supermium and Thorium are obsolete.

https://pq.cloudflareresearch.com/

 

[Dixel]

A bit "laxed" requirements for mobile users.

"For older Chrome or on Mobile, you need to toggle TLS 1.3 hybridized Kyber support (enable-tls13-kyber) in chrome://flags."

I don't see such flag in "older" Chrome 113.

[D.Draker]

8 hours ago, Dixel said:

A bit "laxed" requirements for mobile users.

"For older Chrome or on Mobile, you need to toggle TLS 1.3 hybridized Kyber support (enable-tls13-kyber) in chrome://flags."

I don't see such flag in "older" Chrome 113.

The new version of that "Modern Kyber Cipher" is broken, again.

https://msfn.org/board/topic/186243-beware-new-quic-kyber768-quantum-resistant-mechanism-is-broken-workaround-to-disable-it-in-chrome-124

[Sampei.Nihira]

I also use a “reinforcement” called NIST-P384 algorithm TLS Kyber Confidentiality.
I have no problem with it.

The problem you brought to attention (even then for clients) is due to a bug in the servers:

 

https://tldr.fail/

[Sampei.Nihira]

Firefox 132.0 supports the new standard X25519MLKEM768.

[D.Draker]

It says it's OBSOLETE, yes, written in Capslock.

https://browserleaks.com/tls

 

[Saxon]

12 hours ago, D.Draker said:

It says it's OBSOLETE, yes, written in Capslock.

https://browserleaks.com/tls

 

Oh yeah, the standard changes almost every month, and they also say "enabling both Kyber and ML-KEM simultaneously (e.g., as an interim phase until Kyber768 is completely removed) would mean the client sends an additional 2,432 bytes (1,216 for each plus 32 bytes for a fallback X25519 keyshare)."

https://www.netmeister.org/blog/tls-hybrid-kex.html

[D.Draker]

That's precisely what I wrote, the one @Sampei.Nihirasuggested is already obsolete, and the new one is:

SecP256r1MLKEM768(0x11EB)

@Sampei.Nihira, study, study and study!

https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html