Cloudflare Research: Post-Quantum Key Agreement
On essentially all domains served (1) through Cloudflare, including this one, we have enabled hybrid post-quantum key agreement. We are also rolling out support for post-quantum key agreement for connection from Cloudflare to origins (3). Check out our blog post the state of the post-quantum Internet for more context.
Checking connection …
Deployed key agreements
Available with TLSv1.3 including HTTP/3 (QUIC)
| Key agreement | TLS identifier | |
|---|---|---|
| X25519MLKEM768 | 0x11ec (recommended) | |
| X25519Kyber768Draft00 | 0x6399 (obsolete), 0xfe31 |
|
0xfe30 |
Software support
X25519MLKEM768
- Default for Firefox 132+ (Beta) [new!]
- Default for Chrome 131+ (Beta) [new!]
- Our fork of Go.
- BoringSSL.
X25519Kyber768Draft00
- Default for Chrome 124-130 on Desktop.
For older Chrome or on Mobile, you need to
toggle TLS 1.3 hybridized Kyber support
(
enable-tls13-kyber) inchrome://flags. - Default for Edge 124+.
- Default for recent Opera and Brave.
- Firefox 124+
if you turn on
security.tls.enable_kyberinabout:config. Firefox 128+ andnetwork.http.http3.enable_kyberfor QUIC/HTTP3. - Our fork of Go.
- Default for Go 1.23. [new!]
- BoringSSL.
- Our fork of QUIC-go.
- Goutam Tamvada's fork of Firefox.
- Open Quantum Safe C library.
- Zig 0.11.0+
- nginx when compiled with BoringSSL (guide).
- Caddy HTTP server nightly compiled with Go 1.23+.
- Botan C++ library 3.2.0+ (instructions)
- ISRG's fork of Rustls [new!]
References
- The state of the post-quantum Internet (early 2024)
- tldr.fail explains how large post-quantum ClientHello could break buggy software.
Contact
You can reach us directly at ask-research@cloudflare.com with questions and feedback.
