The prospect of quantum computers breaking most public key encryption in use today has created the need for new schemes that can resist classical and potential quantum attackers alike. Some of these schemes, such as ML-KEM and ML-DSA, are currently in the final stages of standardizations by NIST. Before fully transitioning to post-quantum secure cryptography, an important first step many organizations are taking is protecting against Harvest Now Decrypt Later (HNDL) attacks, where data is collected and stored today, and later decrypted once cryptanalysis improves.
Signal recently introduced PQXDH, which protects against these attacks.
Google’s Chrome browser is using the X25519Kyber768Draft00 hybrid KEM cipher suite in TLS, which combines a post-quantum secure KEM with the classical key exchange. Cloudflare, which is serving a big chunk of the internet, supports it as well.
🎉 We’re excited to announce that now also Bertie, our minimal, verification-friendly implementation of TLS 1.3, supports post-quantum key agreement using X25519Kyber768Draft00 and is fully interoperable with other implementations!
This adds to the suite of post-quantum secure protocols Cryspen offers.
Some background on the KEM itself: It was proposed by Bas Westerbaan and Douglas Stebila in and Internet Draft and uses a combination of the x25519 elliptic curve-based key agreement with Kyber 768, the version of ML-KEM 768 that was submitted in Round 3 of the NIST post-quantum competition. In Bertie, we use our own implementations of Kyber 768 and x25519 that come with libcrux, our library of verified cryptographic implementations.
Want to try it for yourself?
Assuming you’ve the Rust toolchain all set up, grab a copy of the Bertie repository
git clone https://github.com/cryspen/bertie.git
and run the provided simple HTTPS client against a host you know to support this hybrid KEM, e.g. google.com or cloudflare.com:
cargo run -p simple_https_client -- \
google.com \
--ciphersuite SHA256_Chacha20Poly1305_EcdsaSecp256r1Sha256_X25519Kyber768Draft00
The --ciphersuite argument tells the client to use Bertie with the a ciphersuite including the hybrid PQ-KEM when it tries to establish a connection with the given host.