Cloudflare Research: Post-Quantum Key Agreement

On essentially all domains served (1) through Cloudflare, including this one, we have enabled hybrid post-quantum key agreement. We are also rolling out support for post-quantum key agreement for connection from Cloudflare to origins (3).
Checking connection …
Deployed key agreements
Available with TLSv1.3 including HTTP/3 (QUIC)
Key agreement | TLS identifier | |
---|---|---|
X25519Kyber768Draft00 | 0x6399 (recommended) and 0xfe31 (obsolete) |
|
X25519Kyber512Draft00 | 0xfe30 |
Software support
- Chrome 116+
if you turn on
TLS 1.3 hybridized Kyber support
(
enable-tls13-kyber
) inchrome://flags.
[new!] - Our fork of Go.
- BoringSSL
[new!]. Upstream only
supports
0x6399
; for the others use our old fork. - Our fork of QUIC-go.
- Goutam Tamvada's fork of Firefox.
- Open Quantum Safe. [new!]
- Zig 0.11.0+ [new!]
Contact
You can reach us directly at ask-research@cloudflare.com with questions and feedback.