X25519Kyber768 Hybrid Post-Quantum Key Exchange for HTTPS

[fac-trax]

Hybrid key exchange in SSL handshake using ML-KEM in addition to default already has significant usage thanks to Google and Cloudflare. It appears to only be supported currently in TLS 1.3 but is intended for TLS 1.2 as well.

[ghen2]

but is intended for TLS 1.2 as well

The IETF does not intend to backport PQ cryptography to TLS 1.2:
https://www.ietf.org/archive/id/draft-ietf-tls-tls12-frozen-02.html#name-implications-for-post-quant

[jschauma]

I think at this point we want to track X25519MLKEM768 (IANA Key Share Entry Group '4588'); X25519Kyber768Draft00 was intended to be experimental and to be replaced by the standardized FIPS 203 X25519MLKEM768. Firefox shipped ML-KEM support in 132.0; Chrome added an experimental flag #use-ml-kem in 130, and based on their announcement will enable that and disable Kyber in 131 (which should go stable on 2024-11-11).

Keeping track of X25519Kyber768Draft00 is probably going to be moot at that point.