What is Post-Quantum Cryptography (PQC)?#
By now, most people who are somehow involved in Cybersecurity should have already heard: we’re living through one of the biggest cryptographic transitions in history. PQC isn’t some distant sci-fi concept anymore. It’s real, it’s being standardized, and it’s already protecting some traffic across the Internet today.
If you want to learn more about what PQC means, there are plenty of well-written explainers out there:
- What Is Post-Quantum Cryptography? | NIST
- Post-quantum cryptography (PQC) | Google Cloud
- BSI - Post-quantum cryptography
It’s live!#
- Latest versions of Chrome, Firefox, and Edge browsers support post-quantum key agreement.
- Cloudflare is running PQC in production.
- Signal and Apple iMessage use it for secure messaging.
- Even Zoom added post-quantum protection to video calls.
You can quickly verify if your browser supports PQC by visiting pq.cloudflareresearch.com.
Want to see who else is ahead of the curve? PQScan.io tracks PQC deployment across the web and allows you to scan websites for PQC support.
If you are curious about the overall adoption trend of PQC, check out the Cloudflare Radar Data Explorer.
Take action!#
Governments around the world are already pushing for PQC adoption.
What you as a website owner or working in Cybersecurity at a company should generally do:
- Audit your crypto dependencies. If you don’t know where RSA and ECC live in your stack, you can’t protect against quantum threats. This inventory is painful but essential.
PressureMotivate your vendors. Don’t assume your security tools are quantum-ready. Ask specific questions about PQC roadmaps. The vendors who can’t answer clearly aren’t prepared.- Design for crypto-agility. Build systems that can swap algorithms without architectural changes. The next cryptographic transition won’t be our last.
- Test before you need to. Spin up a lab environment with PQC enabled. Learn what breaks before your hand is forced by compliance requirements or security incidents.
Technical Requirements for PQC#
There are three relevant connections in the life of a request where PQC needs to be applied, when using a proxy service. In this case, we will take Cloudflare as an example.
graph LR
A["🌐 Client Browser
Chrome (Latest)
🔐 PQC Ready"]
B["☁️ Cloudflare
Edge Network
🛡️ Global Proxy"]
B2["☁️ Cloudflare
Edge Network
🔗 Internal Nodes"]
C["🖥️ Origin Server
Your Application
🏠 Backend"]
A -.->|"🔒 CONNECTION 1
TLS 1.3 + PQC
Quantum-Safe Handshake"| B
B -.->|"⚡ CONNECTION 2
Internal Network"| B2
B2 <-.->|"🚇 CONNECTION 3
Cloudflare Tunnel
--post-quantum flag"| C
style A fill:#0f4c75,stroke:#0f4c75,stroke-width:3px,color:#fff
style B fill:#3282b8,stroke:#3282b8,stroke-width:3px,color:#fff
style B2 fill:#3282b8,stroke:#3282b8,stroke-width:3px,color:#fff
style C fill:#bbe1fa,stroke:#1b262c,stroke-width:3px,color:#1b262c
linkStyle 0 stroke:#ff6b35,stroke-width:4px
linkStyle 1 stroke:#f7931e,stroke-width:4px
linkStyle 2 stroke:#c5d86d,stroke-width:4px
Client to Cloudflare#
When your website is proxied through Cloudflare, the only requirements for PQC to work are the following:
- Enable TLS 1.3.
- Client browser supports PQC, like i.e. the latest Chrome version.
More details here.
Within Cloudflare#
Cloudflare has been upgrading internal connections to support PQC since September 2023.
Cloudflare to Origin Server#
This is usually the most challenging part to configure, as your origin server needs to support PQC. However, it can be made simple when using Cloudflare Tunnel and enforcing PQC with the --post-quantum flag.
More details here.
The Future#
Quantum computing might not break the Internet tomorrow, but we need to keep up with the latest trends and changes, adapting to them, and improving.
Key exchange and symmetric encryption are well underway for the PQC adoption. However, there’s still further development required, especially for digital signatures and certificate chains, to be made post-quantum secure.
Disclaimer#
Educational purposes only. We are using the term PQC interchangeably for anything post-quantum related here.
I myself am not a cryptography expert, but find this topic very interesting and I am curious about how the future of cryptography and privacy will look like.