A new path for Kyber on the web

Google Chrome will switch from Kyber to the standardized ML-KEM post-quantum key exchange algorithm. ML-KEM will use a different TLS codepoint (0x11EC) than Kyber (0x6399), and Chrome will offer key share predictions for ML-KEM. The flag and enterprise policy for post-quantum key agreement will apply to both Kyber and ML-KEM. Chrome will no longer support Kyber and will not support Kyber and ML-KEM simultaneously. The decision to drop Kyber was made due to its experimental nature, the large size of post-quantum cryptography, and the desire to avoid ossification on non-standard algorithms. Server operators can temporarily support both algorithms to maintain security with a wider range of clients. Google is working on an IETF draft for key share prediction to avoid the need for an extra round trip when using large post-quantum algorithms.