The internet quietly crossed a threshold in late 2024. With the release of Chrome 131, Google switched its browser’s key-exchange algorithm from the experimental Kyber to ML-KEM — the first fully NIST-standardised post-quantum cryptographic mechanism to ship by default to billions of users. It wasn’t announced with fanfare. Most people never noticed. But for cryptographers and security engineers, it marked the beginning of a new era in web encryption.

Understanding why requires a short tour through the mathematics of keeping secrets — and the machines that threaten to unmake them.

Background

What Is ML-KEM?

ML-KEM stands for Module-Lattice-Based Key Encapsulation Mechanism. Its job is deceptively simple: allow your browser and a web server to agree on a shared secret key over an untrusted public network, without ever transmitting the key itself. That handshake underpins every HTTPS connection you make.

ML-KEM’s lineage traces back to CRYSTALS-Kyber, an algorithm that competed in NIST’s multi-year post-quantum standardisation process. When NIST published its final standards in August 2024 — designating Kyber’s successor as FIPS 203, formally titled ML-KEM — Google moved quickly. The “final version of ML-KEM makes it incompatible with the previously deployed version of Kyber,” the Chrome team noted, so the swap had to be clean and complete.

The NIST Post-Quantum Standards (FIPS, August 2024)

FIPS 203 — ML-KEM: Key encapsulation for encrypted key exchange (the focus of this article).

FIPS 204 — ML-DSA (formerly CRYSTALS-Dilithium): Digital signatures.

FIPS 205 — SLH-DSA (formerly SPHINCS+): Hash-based digital signatures.

A fourth algorithm, FN-DSA (originally FALCON), was slated for finalisation shortly after.

Why lattices? A brief intuition

Classical key exchange methods — such as ECDH (Elliptic Curve Diffie–Hellman) — rest on the difficulty of certain mathematical problems like computing discrete logarithms on elliptic curves. These are hard for classical computers. They are not hard for a sufficiently powerful quantum computer running Shor’s algorithm.

Lattice-based cryptography operates on a fundamentally different problem: finding the shortest vector in a high-dimensional geometric lattice. Imagine arranging billions of points in a 768-dimensional space — ML-KEM-768 operates at this scale — and trying to identify one specific point among them. Current mathematical understanding suggests no known quantum algorithm dramatically accelerates this search. The lattice doesn’t crack the way elliptic curves do.

“The transition to post-quantum cryptography is a complex, multi-year and iterative process.”

— Microsoft, on its own parallel PQC integration, 2024
Implementation

How Chrome Deploys It: Hybrid Mode

Chrome does not simply replace old encryption with new. Instead, it employs a hybrid key-exchange mechanism called X25519MLKEM768. This combines two algorithms simultaneously:

X25519 is the modern, highly optimised elliptic-curve algorithm that has secured the web for years. ML-KEM-768 is the post-quantum layer. Both run in parallel during the TLS 1.3 handshake, and the shared secret is derived from both outputs combined. This means:

If a quantum computer eventually breaks X25519, the ML-KEM layer remains intact. If ML-KEM is found to have an unexpected mathematical flaw, X25519 still provides classical-level protection. The connection is only as weak as the stronger of the two algorithms — security engineers call this property hybrid composability.

Verify Your Connection in Chrome

1. Click the lock or tuner icon in the address bar.

2. Select “Connection is secure”“Certificate is valid”.

3. Open DevTools (F12) → Security tab. Look for X25519MLKEM768 as the Key Exchange mechanism. If present, your connection is post-quantum protected.

Chrome DevTools → Security Panel — What to Look For
// Connection → Security tab in Chrome DevTools Protocol: TLS 1.3 Key exchange: X25519MLKEM768 ← post-quantum hybrid active Cipher: AES_128_GCM
Timeline

A Corrected Record of Events

A common misconception places ML-KEM’s default Chrome enablement in 2026. The actual timeline is earlier — and the rollout was completed before most commentary acknowledged it.

April 2023
Kyber Arrives in Chrome

Google ships experimental post-quantum protection via X25519Kyber768, the precursor hybrid scheme, to Chrome Stable for all users. Early TLS compatibility issues with some middleboxes emerge.

August 2024
NIST Finalises ML-KEM (FIPS 203)

The U.S. National Institute of Standards and Technology publishes the complete technical specification for ML-KEM, granting it full federal standardisation status.

November 2024
Chrome 131: ML-KEM Ships by Default

Google releases Chrome 131, switching from experimental Kyber to the final ML-KEM standard. The hybrid codepoint 0x11EC (X25519MLKEM768) becomes Chrome’s default key-exchange offer for TLS 1.3. Firefox 132 and Edge 131 follow suit.

Chrome 138 (2025)
ML-KEM Becomes Non-Optional

Google removes the flag allowing users to disable ML-KEM. The enterprise policy PostQuantumKeyAgreementEnabled is slated for removal by Chrome 147, making post-quantum key exchange a permanent, non-negotiable feature.

Early 2026
Enterprise Policy Sunset Imminent

Chrome 147 (preview available April 2026) targets full removal of the temporary enterprise override policy. Server operators are urged to complete their ML-KEM migrations.

Threat Model

The “Harvest Now, Decrypt Later” Threat

The urgency behind ML-KEM’s rapid deployment isn’t theoretical. Security researchers have documented a strategy — sometimes called SNDL (Store Now, Decrypt Later) — in which adversaries intercept and archive encrypted traffic today, with the intent of decrypting it once quantum computers are available. Sensitive communications captured in 2024 could be readable in 2034.

Experts estimate the arrival of a “cryptographically relevant quantum computer” — one powerful enough to break current public-key cryptography at scale — between five and ten years from now. That window is narrow enough that every year of delay in deploying post-quantum encryption compounds the risk to data that must remain confidential long-term: medical records, state communications, financial instruments, legal correspondence.

Chrome’s hybrid approach means that encrypted traffic sent through Chrome 131 and later is protected against SNDL attacks, even if an adversary is archiving it today.

Fact Check

Verdict on the Circulating Summary

A widely shared explanation of this topic contains accurate technical concepts but one significant factual error. Here is a point-by-point assessment:

ML-KEM definition and Kyber lineage Accurate. ML-KEM is correctly described as the NIST-standardised successor to CRYSTALS-Kyber.
Correct
Lattice-based cryptography explanation The high-dimensional geometry analogy is a reasonable, non-misleading simplification.
Correct
Hybrid X25519 + ML-KEM mode Accurately described. Chrome does run both algorithms simultaneously and derives security from both.
Correct
“Store now, decrypt later” threat The risk is real and well-documented; the framing is fair.
Correct
X25519MLKEM768 visible in browser DevTools Confirmed. Users can verify this in Chrome’s Security panel today.
Correct
“In 2026, enabling ML-KEM by default in Chrome was a milestone” This is incorrect. ML-KEM shipped as Chrome’s default in Chrome 131, November 2024 — not 2026. By Chrome 138 (2025), users could no longer disable it. The 2026 milestone is the removal of the enterprise override policy.
Incorrect
Claim that ECDH broadly is vulnerable Accurate in spirit, but worth clarifying: it is specifically public-key / key-exchange algorithms (ECDH, RSA) that Shor’s algorithm threatens. Symmetric ciphers like AES are far more resistant.
Nuance
What This Means

For Developers and Server Operators

Chrome’s side of the transition has been completed. The outstanding work lies with servers. When Chrome offers X25519MLKEM768 during a TLS handshake, the server must support ML-KEM to negotiate it; otherwise, the connection falls back to classical X25519 alone — still secure by today’s standards, but without post-quantum protection.

Major CDN providers including Cloudflare and Akamai have rolled out ML-KEM support. Google’s own services were among the first to negotiate it. For self-managed servers, OpenSSL 3.x and BoringSSL (used by Chrome itself) both include ML-KEM support. The enterprise policy PostQuantumKeyAgreementEnabled — which allowed organisations to temporarily disable the feature for compatibility testing — is being retired with Chrome 147, making this transition effectively mandatory for the Chrome ecosystem.

The web’s capillaries are being re-plumbed, connection by connection. The quantum computers that would exploit the old plumbing do not yet exist at cryptographically relevant scale. But the window to act closes a little more with each passing year — and for data that must stay secret for decades, the encryption protecting it must be chosen today.