Post-quantum cryptography (PQC)
Post-quantum cryptography (PQC) refers to cryptographic algorithms that have been designed to resist attacks from quantum computers ↗. Cloudflare has been researching and writing about post-quantum ↗ since 2017.
To protect you against the risk of harvest now, decrypt later ↗, and considering all the connections that take place when your website or application is on Cloudflare, we have deployed and are actively expanding the use of post-quantum hybrid key agreement.
Refer to Cloudflare Radar ↗ for current statistics on the adoption of PQ encryption in requests to Cloudflare.
Before TLS can protect your communications, three cryptographic algorithms have to be agreed on during the TLS handshake ↗:
- Symmetric ciphers: Algorithms used to encrypt and decrypt data, ensuring confidentiality and integrity (such as
CHACHA20-POLY1305). - Key agreement: A cryptographic protocol that allows client and server to safely agree on a shared key (such as
ECDH). - Signature algorithms: Cryptographic algorithms used to generate the digital signatures in TLS certificates (such as
RSAandECDSA).
As explained in our blog post ↗, symmetric ciphers are already post-quantum secure, which means there are two migrations left to occur.
With TLS 1.3, X25519 ↗ - an Elliptic Curve Diffie-Hellman (ECDH) protocol - is the most commonly used algorithm in key agreement. However, its security can be easily broken by quantum computers using Shor's algorithm ↗.
It is urgent to migrate key agreement to post-quantum algorithms as soon as possible. The objective is to protect against an adversary capable of harvesting today's encrypted communications and storing it until some time in the future when they can gain access to a sufficiently powerful quantum computer to decrypt it.
In response to this, Cloudflare is an early adopter of ML-KEM, the post-quantum key agreement selected by the US National Institute of Standards and Technology (NIST). For a detailed timeline and more background information refer to The state of the post-quantum Internet ↗.
Cloudflare has deployed the following hybrid key agreements:
- X25519MLKEM768 ↗ (Recommended)
- TLS identifier:
0x11ec
- TLS identifier:
- X25519Kyber768Draft00 ↗ (Obsolete)
- TLS identifier:
0x6399
- TLS identifier:
A hybrid key agreement lays the groundwork as more and more clients adopt post-quantum cryptography, while also maintaining the current security provided by X25519. It is a safer path in case of an unexpected breakthrough that renders all variants of ML-KEM insecure.
The migration to post-quantum signatures is less urgent and more involved. Cloudflare is closely following the developments of new standards, testing their performance, and working together with browsers to understand user impact.
For details refer to A look at the latest post-quantum signature standardization candidates ↗.
flowchart LR
accTitle: Three connections - from visitor to Cloudflare to origin server
accDescr: Diagram showing connections for an uncached request.
A[Visitor]
subgraph Cloudflare
X[(Cloudflare <br />service A)]
B[(Cloudflare <br />service B)]
end
C[(Origin server)]
A --1--> X
X --2--> B
B --3--> C
As of October 2022 ↗, all websites and APIs served through Cloudflare over TLS 1.3 support post-quantum hybrid key agreement. However, the connection is only post-quantum secured if the client also supports PQC.
Refer to Post-quantum cryptography support for a list of browsers and other clients that are compatible with hybrid key agreements.
As announced in September 2023 ↗, most internal connections for Cloudflare's products and systems have been upgraded to use PQC.
Finally, Cloudflare also supports hybrid key agreements when connecting to origins. In this case, post-quantum secured connections will depend on the origin servers also supporting PQC.
Refer to Post-quantum cryptography between Cloudflare and origin servers for details.