Cloudflare Research: Post-Quantum Key Agreement

On essentially all domains served (1) through Cloudflare, including this one, we have enabled hybrid post-quantum key agreement. We are also rolling out support for post-quantum key agreement for connection from Cloudflare to origins (3).

Checking connection …

Deployed key agreements

Available with TLSv1.3 including HTTP/3 (QUIC)

Key agreement	TLS identifier
X25519Kyber768Draft00	`0x6399` (recommended) and `0xfe31` (obsolete)
X25519Kyber512Draft00	`0xfe30`

X25519Kyber[x]Draft00 is a hybrid of X25519 and Kyber[x]Draft00 (in that order).

Software support

Chrome 116+ if you turn on TLS 1.3 hybridized Kyber support (enable-tls13-kyber) in chrome://flags.
Firefox 124+ if you turn on security.tls.enable_kyber in about:config. [new!]
Our fork of Go.
BoringSSL. Upstream only supports 0x6399; for the others use our old fork.
Our fork of QUIC-go.
Goutam Tamvada's fork of Firefox.
Open Quantum Safe C library.
Zig 0.11.0+
nginx when compiled with BoringSSL (guide).
Caddy HTTP server nightly compiled with cfgo.
Botan C++ library 3.2.0+ (instructions)

References

tldr.fail explains how large post-quantum ClientHello could break buggy software.

Contact

You can reach us directly at ask-research@cloudflare.com with questions and feedback.