Current State of Transport Layer Security (TLS) Post-Quantum Cryptography

Posted by: Robert Levine

Current State of Transport Layer Security (TLS) Post-Quantum Cryptography

In May 2024, a comprehensive Transport Layer Security (TLS) scan conducted by TrustFour across the Fortune 1000 externally facing websites and domains.  Across the entire Fortune 1000 domains, only 177 supported the Post Quantum key encapsulation hybrid cipher suite X25519_Kyber76.  ​​

The result isn’t surprising given that post quantum support has not yet been incorporated in a IETF standard for TLS and a draft IETF Hybrid Key Exchange in TLS V1.3 draft standard is the only one we found supported.

It should also be noted that, no other post quantum algorithm was supported.   To validate this, TrustFour scanned support for the following ten (10) post quantum algorithms: kyber512, p256_kyber512, x25519_kyber512, p256_kyber768, x25519_kyber768, kyber768, p384_kyber768, x448_kyber768, kyber1024, and p521_kyber1024.   

TrustFour is planning to publish this report every quarter and will include progress charts at the end of Q3 2024.   To see if your site is post quantum configured at our free TLS Compliance checking site. 

The Challenge of Post-Quantum Encryption

The rise of quantum computing poses a significant threat to classical encryption algorithms used in Transport Layer Security (TLS). Quantum computers, once sufficiently advanced, could break widely used cryptographic schemes such as RSA and elliptic curve cryptography (ECC), which are currently considered secure and are the basis of the key exchange used within TLS. This vulnerability primarily affects three aspects of TLS:

  1. Key Exchange: Traditional methods like RSA and ECC could be easily broken by quantum computers using Shor’s algorithm. This would expose the exchanged keys, compromising the security of the session.
  2. Streaming Ciphers: Algorithms such as AES, while still considered secure against quantum attacks, might require larger key sizes to ensure post-quantum security.
  3. Authentication Credentials: Digital signatures based on RSA or ECC could be forged, undermining the authenticity and integrity of communications.

The Notion of “Capture Now, Decrypt Later”

One of the most pressing concerns is the notion of “capture now, decrypt later.” This concept refers to the ability of adversaries to capture encrypted communications today and store them until they have access to quantum computers capable of decrypting them. This future threat necessitates the immediate adoption of quantum-resistant algorithms to protect sensitive information from being compromised in the future.

The Current State of the Draft IETF RFC for X25519_Kyber768

The Internet Engineering Task Force (IETF) has been actively working on developing standards to incorporate post-quantum cryptographic algorithms into existing protocols. The draft RFC for X25519_Kyber768 represents one such effort, introducing a hybrid approach that combines the classical X25519 elliptic curve key exchange with the quantum-resistant Kyber768 algorithm.

This hybrid method ensures that even if one of the algorithms is broken (e.g., by a quantum computer), the other still provides security, thus safeguarding the key exchange process. The draft RFC outlines the technical specifications, integration guidelines, and security considerations for deploying this hybrid cipher suite within TLS.

Support in Common Libraries and Browsers

Adoption of post-quantum algorithms depends significantly on their support within widely used cryptographic libraries and browsers. As of May 2024:

  • Libraries: Leading cryptographic libraries such as OpenSSL, BoringSSL, and WolfSSL have started incorporating support for X25519_Kyber768. This integration allows developers to build applications that can negotiate post-quantum key exchanges.
  • Browsers: Mainstream web browsers, including Chrome, Firefox, and Safari, are in various stages of experimental support and deployment. Early adopters and beta versions may already support the hybrid cipher suite, with full support anticipated as the standard matures.

Computational and Data Transport Differences

Implementing post-quantum cryptography introduces notable differences in computational requirements and data transport sizes compared to traditional methods:

  1. CPU Cycles: Kyber768, being a lattice-based algorithm, generally requires more computational resources than classical ECDH (X25519). The key exchange operations can demand several million CPU cycles, significantly higher than the tens of thousands typically needed for X25519.
  2. Data Sizes: Post-quantum algorithms also involve larger key sizes and ciphertexts. For example, the public key size for Kyber768 is approximately 1,088 bytes, and the encapsulated key size is about 1,120 bytes, compared to the 32-byte keys in X25519. This increase in data size affects both the speed and bandwidth efficiency of secure communications.
  3. Hardware Acceleration: While traditional ECDH algorithms can leverage existing cryptographic accelerators present in modern CPUs, post-quantum algorithms like Kyber768 currently lack such widespread hardware support. This absence of dedicated acceleration hardware results in higher CPU usage and longer processing times for post-quantum operations.

In December 2023, NIST published a paper titled “Migration to Post-Quantum Cryptography Quantum Readiness: Testing and Draft Standards”  that provides additional details on the performance of the post quantum algorithms. 


Post-quantum cryptography is rapidly becoming a crucial aspect of securing communications against future threats posed by quantum computing. The initial focus has been on developing and deploying quantum-resistant key exchange mechanisms, such as the hybrid X25519_Kyber768 cipher suite. Although adoption remains limited, with only 176 out of 10,000 servers in a recent scan supporting the hybrid suite, the momentum is building.   

Organizations must prepare for this transition by ensuring cryptographic agility within their infrastructure. This involves being able to quickly update cryptographic protocols and algorithms and implementing compliance controls to verify that their environments are correctly configured and operating securely.

Browse the site to learn more about TLS compliance testing, cryptographic agility with centralized control and the use of mTLS for Workload Segmentation control plane.


As of May 2024, the F1000 domains that support post quantum TLS algorithm  X25519_Kyber76 were: