Protect current Chrome TLS traffic against future quantum cryptanalysis by deploying the Kyber768 quantum-resistant key agreement algorithm. This is a hybrid X25519 + Kyber768 key agreement based on an IETF standard. This specification and launch is outside the scope of W3C. This key agreement will be launched as a TLS cipher, and should be transparent to users. https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html
Post-quantum secure ciphers are larger than classical ciphers. This may cause compatibility issues with middleboxes.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
Shipping on desktop | 119 |
OriginTrial desktop last | 118 |
OriginTrial desktop first | 117 |
DevTrial on desktop | 115 |
Shipping on Android | 119 |
OriginTrial Android last | 118 |
OriginTrial Android first | 117 |
DevTrial on Android | 115 |
Shipping on WebView | 119 |
Hi David,
LGTM to experiment from M117 - M118 inclusive. I think that's
what you're asking for - please let me know if I'm reading this
incorrectly. Good luck!
thanks,
Mike
Contact emails
dad...@google.com
Explainer
https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.html
Specification
https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.html
Summary
Protect current Chrome TLS traffic against future quantum cryptanalysis by deploying the Kyber768 quantum-resistant key agreement algorithm. This is a hybrid X25519 + Kyber768 key agreement based on an IETF standard. This specification and launch is outside the scope of W3C. This key agreement will be launched as a TLS cipher, and should be transparent to users. https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html
Blink component
Internals>Network>SSL
Search tags
tls, kem, kyber, postquantum
TAG review
TAG review status
Pending
Risks
Interoperability and Compatibility
Post-quantum secure ciphers are larger than classical ciphers. This may cause compatibility issues with middleboxes.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2B37SpGUy9t6bBkP13XQL4mrEaY%2Bu0wAzttjZyr_f2rGA%40mail.gmail.com.
> LGTM to experiment from M117 - M118 inclusive. I think that's what you're asking for - please let me know if I'm reading this incorrectly. Good luck!
Thank you!> Any pointers to learn more about this possible compat problem?
The basic issue is that the Kyber key exchange pushes the ClientHello size to be larger than one packet. This makes it more likely that the call to read() on the TCP socket will not return the entire ClientHello in a single call. Not all implementations are prepared for this (despite the fact that the ClientHello TLS record includes the length at the start, and TCP is stream-based).
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGkh42%2BoZZVLYf3hVfxe9RezK%2B_i26tL6M2r6aFLqd-cvoQvRg%40mail.gmail.com.