PQC support
The sections below summarize third-party software support for the post-quantum algorithms Cloudflare has deployed, organized by software category. Contributions to keep the listing up-to-date are welcome.
Two classes of algorithm are tracked:
- Key agreement — the X25519MLKEM768 ↗ hybrid, which protects against harvest-now-decrypt-later ↗ attacks on encrypted traffic. Refer to hybrid key agreement for background.
- Signatures — ML-DSA ↗, the post-quantum digital signature algorithm standardized by NIST. Defined with three parameter sets (ML-DSA-44, ML-DSA-65, ML-DSA-87), of which ML-DSA-44 is the variant Cloudflare is currently evaluating for deployment. Refer to post-quantum signatures for background.
Browsers are grouped by the underlying rendering engine and TLS stack. Browsers sharing an engine generally share the same post-quantum support, but derivative browsers can lag the upstream engine or disable post-quantum features by policy. Verify behavior in the specific browser version you care about before assuming derivative support. Cloudflare Radar's browser support check ↗ is a quick way to confirm whether a given browser negotiates post-quantum key agreement with Cloudflare.
- Key agreement: ✅ Default in Brave 1.73.86+ (Chromium 131)
- Signatures: Not yet
- Reference: Brave ↗
- Key agreement: ✅ Default in Chrome 131+
- Signatures: 📝 Planned via Merkle Tree Certificates ↗
- Reference: Chrome ↗, Cultivating a robust and efficient quantum-safe HTTPS ↗
Chrome is not planning to add traditional X.509 post-quantum certificates to the public Chrome Root Store. Instead, Chrome is developing MTCs in the IETF PLANTS working group, currently in a feasibility study phase with Cloudflare.
- Key agreement: ✅ Default in Edge 131+
- Signatures: Not yet
- Reference: Edge ↗
- Key agreement: ✅ Default in Opera 116+ (Chromium 131)
- Signatures: Not yet
- Reference: Opera ↗
- Key agreement: ✅ Default in Firefox 132+ (Desktop), 145+ (Android)
- Signatures: Not yet
- Reference: Firefox ↗
For QUIC/HTTP3, Firefox 135+ (Desktop).
- Key agreement: ✅ Default in Tor Browser 15.0+
- Signatures: Not yet
- Reference: Tor Browser ↗
Based on Firefox ESR with additional hardening.
- Key agreement: ✅ Default in Safari 26+
- Signatures: Not yet
- Reference: Safari ↗
System-wide in iOS 26, macOS Tahoe 26, and other Apple operating systems ↗.
This section splits into the foundational native libraries (written in C/C++) and the language bindings and higher-level libraries that build on top of them.
- Key agreement: ✅
- Signatures: ✅
- Reference: aws-lc ↗, Post-Quantum Cryptography in AWS-LC ↗
ML-KEM-512/768/1024 and hybrids X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024; ML-DSA-44/65/87.
- Key agreement: ✅
- Signatures: ✅
- Reference: BoringSSL ↗
ML-DSA-44/65/87.
- Key agreement: ✅ Default in TLS since 3.7.0
- Signatures: ✅ 3.6.0+
- Reference: Botan ↗
ML-DSA-44/65/87.
- Key agreement: ✅ 3.8.9+ compiled with leancrypto 1.2.0+ (or 3.8.8–3.8.9 with liboqs 0.11.0+)
- Signatures: ✅ 3.8.10+ — usable in TLS handshakes
- Reference: GnuTLS ↗
Hybrids X25519MLKEM768 and SecP256r1MLKEM768 from 3.8.8+; SecP384r1MLKEM1024 added in 3.8.9+. ML-DSA-44/65/87.
- Key agreement: ✅ Default in 3.5.0+
- Signatures: ✅ 3.5.0+
- Reference: OpenSSL ↗
Hybrid X25519MLKEM768 in 3.5.0+; SecP256r1MLKEM768 and curveSM2MLKEM768 added in 3.6.0+. ML-DSA-44/65/87.
- Key agreement: ✅ liboqs 0.10.0+, oqs-provider 0.7.0+
- Signatures: ✅ liboqs 0.14.0+, oqs-provider 0.9.0+
- Reference: Open Quantum Safe ↗
Reference implementations, not recommended for production.
- Key agreement: ✅
- Signatures: Not yet
- Reference: s2n-tls ↗
AWS's open-source TLS implementation built on AWS-LC.
- Key agreement: ✅
- Signatures: 🚧 Behind
unstablefeature - Reference: aws-lc-rs ↗
Rust bindings around AWS-LC; underlies rustls-post-quantum's ML-DSA support. ML-KEM via aws-lc-rs::kem ↗; ML-DSA-44/65/87 via unstable::signature ↗.
- Key agreement: ✅
- Signatures: ✅ 1.5.0+ via
sign/mldsa↗ - Reference: CIRCL ↗
Pure-Go cryptographic primitives library. ML-KEM-512/768/1024 and ML-DSA-44/65/87.
- Key agreement: ✅ Default in Go 1.24+
- Signatures: 🚧 Internal implementation in Go 1.26; public
crypto/mldsa↗ proposed for Go 1.27 - Reference: Go ↗
Cloudflare's fork of Go ↗ also supports key agreement via CIRCL.
- Key agreement: ✅ Default in Java 27+ (JEP 527 ↗)
- Signatures: 🚧 Java 24+ provides ML-DSA APIs (JEP 497 ↗) but they are not yet integrated into
javax.net.sslTLS - Reference: OpenJDK ↗
- Key agreement: ✅ Default in 24.5.0+ and 22.20.0+ (backported ↗)
- Signatures: ✅ 24.5.0+
- Reference: Node.js ↗
Uses bundled OpenSSL 3.5. ML-DSA-44/65/87.
- Key agreement: ✅
ml-kem↗ - Signatures: ✅
ml-dsa↗ - Reference: RustCrypto ↗
Pure-Rust crates, independent of AWS-LC. ML-DSA-44/65/87.
- Key agreement: ✅ Enabled by default since rustls 0.23.27
- Signatures: 🚧 Unstable
- Reference: rustls ↗
TLS library built on top of rustls-post-quantum.
- Key agreement: ✅
X25519MLKEM768 - Signatures: 🚧 Unstable ML-DSA support (behind
aws-lc-rs-unstablefeature) - Reference: rustls-post-quantum ↗
Extension crate for rustls that provides post-quantum algorithms using aws-lc-rs under the hood.
- Key agreement: ✅ Zig 0.14.0+ (client)
- Signatures: Not yet
- Reference: Zig ↗
- Key agreement: ✅ Default in Caddy 2.10.0+
- Signatures: Blocked on Go
crypto/mldsa - Reference: Caddy ↗
- Key agreement: ✅ Default when compiled with OpenSSL 3.5+ (instructions ↗)
- Signatures: ✅ When compiled with OpenSSL 3.5+
- Reference: NGINX ↗
- Key agreement: ✅ Default in 0.9.4+
- Signatures: Blocked on Rust PQ signature support
- Reference: rpxy ↗