Overview
If my webserver is built in the latest version of Go, and your browser is the latest version of Chrome, they are speaking Post-Quantum Cryptography to each other right now.
However, differences in the release cycles mean there will be a regression period at the end of this year, where they revert back to basic elliptic curve cryptography. The two won’t share a common ciphersuite hardened against future quantum computing cryptanalysis until early 2025.
The ‘store-now-decrypt-later’ threat model means your TLS handshakes and internet traffic could be intercepted in the meantime, then revisited when better codebreaking technology is available.
Current Situation
NIST Standards
The draft spec for Post-Quantum Cryptography from NIST lead early adopters (including Go and Chrome) to implement the
X255189Kyber768Draft00 ciphersuite, which offers PQC key encapsulation. NIST have now released the finalised version
of their spec - in August ‘24 - giving rise to the X25519MLKEM768 ciphersuite, which offers a theoretical security
improvement in some (unlikely) contingencies.
Google Chrome
Chome 129 is out at time of writing. (Release date 17th Sep ‘24 - Google.) It speaks Kyber, so webservers with compatible PQC will be able to use the draft version of the NIST spec for TLS.
Go 1.23
Go 1.23 dropped in mid-August ‘24, literally on the same day as the finalised version of the NIST spec. Thanks to a heroic effort by Filippo Valsorda (Youtube), it offers an implementation of the draft spec.
Who is Releasing What, When?
Google Chrome
Chrome is on a 4 week release cycle. They have announced that Chrome 131 will drop the draft version of the spec, and (only) implement the finalised version, as of v131. Based on their stated release cycle, this is inferred to mean on or around 12th Nov ‘24.
Go 1.24
Members of the Go team have suggested an implementation of the finalised ML-KEM standard is a likely addition to Go 1.24. This version is due in Feb ‘25. It is not yet known whether support for the older draft version of the spec will be dropped at the same time, but this was never exported functionality in Go, so it would be within the backwards compatibility guarantee to do so.
Regression
What all this means is that there will be a regression. The Google Chrome team say this wasn’t their intention:
We do not want to regress any clients’ post-quantum security, so we are waiting until Chrome 131 to make this change so that server operators have a chance to update their implementations.
The reason given for dropping the draft standard is to get people to stop using it, and that seems fair enough now there’s a finalised version available.
However, there will be a window of time from mid-November 2024 till February ‘25 where the two can’t speak PQC to each
other. If my webserver uses the latest version of Go’s tls package, and your browser is an up-to-date version of
Chrome, the two will be forced to speak in plain old elliptic curve cryptography, with no protection against future
cryptanalysis by quantum computers.
This represents a bit of a bump in the road for our current ‘PQC everywhere’ mission. We’re not quite at the point where web traffic intercepted this year won’t be readable by the quantum-powered technology of the future. Progress is being made, but it will be faltering march for a while to come.