X25519 & Kyber

Google Chrome now supports a TLS 1.3 Quantum Key Exchange

Compiled and researched by Steve Monti SafeCipher.com

The integration of X25519Kyber768 into Google Chrome’s Transport Layer Security (TLS) protocol is a significant move towards mitigating the “Harvest Now, Decrypt Later” threat posed by quantum computing advancements.

This change was introduced in Chrome version 116, it is a response to the growing concerns about quantum computing’s potential to break current cryptographic algorithms in the TLS key exchange.

Understanding X25519Kyber768 and Its Components

X25519 is an elliptic curve algorithm currently popular in TLS for key agreement. It’s known for its efficiency and security within the realm of classical computing.

Kyber-768 is a quantum-resistant Key Encapsulation Method (KEM) that has been recognized by the National Institute of Standards and Technology (NIST) as a leading candidate for general encryption in the quantum computing era.

The combination of X25519 and Kyber-768 is strategic. While X25519 ensures robust security with current technology, Kyber-768 adds a layer of resistance against potential quantum computing attacks. This dual approach ensures that even if one algorithm is compromised, the other still secures the connection.

Addressing the Quantum Threat

Quantum computers, although not yet fully operational at a scale that threatens current cryptographic standards, have the potential to perform complex computations exponentially faster than classical computers. This advancement could enable them to break asymmetric cryptographic methods, which are foundational to internet security today.

The “Harvest Now, Decrypt Later” Threat

This concept involves adversaries collecting encrypted data with the intent to decrypt it later using quantum computers. By updating TLS to use quantum-resistant algorithms now, Chrome aims to secure data against such future threats.

Deployment and system Compatibility

Monitoring and Compatibility

Google plans to monitor the deployment closely, looking for ecosystem incompatibilities. This involves rolling out the feature to Chrome and Google servers, and later to third-party servers as they adopt the technology.

Additional Data Load

The introduction of Kyber-768 increases the data load in the TLS ClientHello message, which might cause compatibility issues with some TLS implementations, especially those with hardcoded message size limits.

Enterprise Policy for Transition

Enterprises facing compatibility issues can temporarily disable X25519Kyber768 using the PostQuantumKeyAgreementEnabled policy, encouraging them to update their systems for long-term compatibility.

Performance Considerations

Incorporating quantum-resistant algorithms must balance security with performance. The algorithms should be efficient on commercially available hardware to avoid significant performance degradation.

Future Proofing and Speculative Changes

Both X25519Kyber768 and Kyber specifications are currently drafts and may undergo changes before finalization, which means Chrome’s implementation could also evolve.


This move by Google Chrome represents a proactive approach to security, addressing not just current threats but also preparing for future advancements in quantum computing.

The careful rollout and attention to compatibility and performance issues highlight the complexity and importance of this transition in internet security.

The initiative that Google has shown highlights the urgency to start your own testing and deployment of external and internal TLS traffic using the X25519+Kyber768 algorithm. Adopting X25519+Kyber768 algorithm hybrid TLS 1.3 tunnels is a sure way to safeguard your data from Harvest Now Decrypt Later attacks.