Attackers collect encrypted data today to decrypt later with quantum computers. ESA counters this with native post-quantum cryptography (PQC), using the X25519MLKEM768 hybrid key exchange to protect client-to-edge traffic. Enabled by default with no configuration required.
Overview
Public-key algorithms in widespread use today, such as RSA and ECDSA, rely on mathematical problems like integer factorization and discrete logarithms. Classical computers need tens of thousands of years to crack them, but large-scale quantum computers could break them quickly using Shor's algorithm.
Post-quantum cryptography (PQC) refers to algorithms that resist quantum attacks while running on classical computers. NIST published the first PQC standards between 2022 and 2024, including FIPS 203 (ML-KEM key encapsulation), FIPS 204 (ML-DSA digital signature), and FIPS 205 (SLH-DSA digital signature).
Attackers can intercept and store encrypted data now, then decrypt it when quantum computers mature. Enable PQC for data that requires long-term protection, such as financial transactions, medical records, and government communications.
Use cases
Post-quantum encryption is enabled by default for all sites. The following scenarios benefit most:
-
Finance and payments: Transaction data has long-term confidentiality value and is the primary target of "harvest now, decrypt later" attacks.
-
Medical and health: Patient data is subject to strict regulations, and its sensitivity does not diminish over time.
-
Government and critical infrastructure: National security and public service systems face the most urgent compliance requirements.
-
SaaS and API services: Platforms handling large volumes of customer data must demonstrate proactive security measures.
-
Cross-border business: Deploying PQC early satisfies multiple regional compliance timelines simultaneously.
Post-quantum encryption capabilities
ESA natively integrates PQC into global edge nodes, protecting client-to-edge traffic against quantum attacks.
Hybrid key exchange
X25519MLKEM768 combines traditional X25519 (elliptic-curve Diffie-Hellman) with ML-KEM-768 (lattice-based key encapsulation). This hybrid approach ensures:
-
If ML-KEM-768 has undiscovered vulnerabilities, X25519 still provides classical security.
-
If quantum computers break X25519, ML-KEM-768 still provides post-quantum security.
X25519 provides perfect forward secrecy (PFS), so a compromised session key does not affect other sessions. ML-KEM-768 adds quantum resistance on top of this.
TLS 1.3 and QUIC support
Post-quantum key exchange supports the following protocols:
-
TLS 1.3: Based on the IETF draft-ietf-tls-ecdhe-mlkem draft. Compatible with all TLS 1.3 clients.
-
QUIC: Based on IETF RFC 9000. PQC key exchange is negotiated during the QUIC handshake to protect HTTP/3 traffic.
Enabled by default for all sites
All domains connected to ESA automatically use post-quantum key exchange. No configuration changes, certificate replacements, or cipher suite adjustments are required. Clients that do not support post-quantum algorithms can still establish TLS connections.
This feature has no corresponding console toggle or configuration and is enabled by default.
Supported algorithms and standards
|
Capability |
Algorithm / Standard |
Description |
|
Key encapsulation |
ML-KEM-768 (FIPS 203) |
NIST-standardized post-quantum key encapsulation mechanism |
|
Hybrid key exchange |
X25519MLKEM768 |
X25519 + ML-KEM-768 hybrid approach, balancing traditional and post-quantum security |
|
Transport protocol |
TLS 1.3 / QUIC |
Covers both HTTPS and HTTP/3 |
|
Client support |
Chrome 131+, Edge 131+, Firefox 132+ |
Enabled by default in all major browser implementations |
Verify post-quantum encryption is active
Prerequisites
Ensure the following before you verify:
-
Browser: Chrome 131 or later. Enter
chrome://versionto check your version. -
curl: Requires OpenSSL 3.5+ or OpenSSL with oqs-provider.
-
ESA site: HTTPS must be working correctly.
Verify using Chrome Developer Tools
-
Open an ESA-accelerated domain in Chrome.
-
Press F12 or right-click the page to open Developer Tools, then switch to the Security panel.
-
In the Connection section, check Key exchange. If it shows
X25519MLKEM768, PQC is active.
Verify using curl
Run this command to check the TLS handshake key exchange algorithm:
curl -vso /dev/null https://your-domain.com 2>&1 | grep -i mlkemIf the output contains X25519MLKEM768, PQC is active.