Cloudflare has announced the general availability of post-quantum cryptography for several of its services and internal systems. While promising a higher privacy standard for the post-quantum era, the new feature depends on post-cryptography support in browsers and the final link between Cloudflare and origin servers.
After introducing beta support for the X25519+Kyber cipher last October, Cloudflare is now taking the next step and making it generally available for most of its inbound and outbound connections. This includes Cloudflare's most used services, such as 1.1.1.1, API Gateway, Cloudflare Tunnel, and many more. Other services, including Cloudflare Gateway and Cloudflare DNS, will get support for post-quantum crypto in the following weeks.
We don't yet know when quantum computers will have enough scale to break today's cryptography, but the benefits of upgrading to post-quantum cryptography now are clear.
NIST ran an open process to select the best post-quantum crypto cipher, which they hope to finalize in 2024 by publishing an official standard. The only key agreement (aka, key exchange or key distribution) method NIST has selected up to now is Kyber, which provides the means for two parties to agree on a shared key without an eavesdropper being able to learn anything.
The solution adopted by Cloudflare is a hybrid one, where they combine both Kyber and the classical X25519, with the aim of ensuring the connection remains secure nowadays even if at some point Kyber is shown to be "classically" insecure.
As mentioned, the end-to-end connection is only secure if all of its links are secured by post-quantum cryptography, which requires both the client, e.g. a browser, and the origin server to use it. While Cloudflare post-quantum cryptography GA means they will talk to origin servers using post-quantum crypto, this still requires origin servers to support the new cipher. On the browser front, Chrome started to support X25519Kyber768 in Chrome 116, released last August.
Albeit in its infancy, quantum computing poses a serious challenge to current cryptography based on prime number factoring. Indeed, factoring is a hard problem on classical computers but not on quantum computers; using a quantum computer allows these problems to be solved in a reasonable amount of time.
While not yet there, the sheer fact that quantum computing might, at some point, become a reality puts today's encrypted data at risk since somebody could get hold of encrypted data and wait for quantum hardware to be available to decrypt it.