Cloudflare cuts aggressive path to PQC with Kyber beta rollout
Cloudflare, a content delivery network and security company, has adopted the recently-chosen Kyber standard for public key encryption as the post-quantum cryptography (PQC) solution for providing transport layer security to all of its website and API customers.
The launch of the beta program comes well ahead of the finalization of the Kyber standard.
It is an announcement of massive significance for multiple reasons:
- Cloudflare is one of the largest CDN companies, and serves just under 20% of the entire Internet, so almost one-fifth of the websites and APIs on the Internet will have a form of PQC protection well ahead of the existence of quantum computers believed to be capable of breaking current encryption.
- Cloudflare is believed to be the first such public Internet infrastructure company to adopt Kyber, which despite being singled out by the National Institute of Standards and Technology (NIST) in July for standardization, still faces potentially two more years of evaluation and work before it is finalized. That means it could change in ways that make it different the version of Kyber that Cloudflare is deploying. The company said in a blog post it accepts this reality and will migrate to new versions as they become available.
- Cloudflare’s decision likely will influence other large companies to embrace PQC sooner rather than later. Its implementation of Kyber, which the blog post goes into in great detail, will be examined very closely.
- Cloudflare is making Kyber available now and for free.
Though it is a bold move, it should hardly come as a surprise, as Cloudflare has been working on PQC efforts itself for years. It has been closely following the NIST standardization proceedings, and has published several in-depth blog posts on the topic in recent months.
The company emphasized in its blog post that the beta program will help the Internet community better understand Kyber and what it is getting into as it embarks on the PQC migration. “The transition to a post-quantum secure Internet is urgent, but not without challenges,” the post stated. “Today we have deployed a preliminary post-quantum key agreement on all our servers — a sizable portion of the Internet — so that we can all start testing the big migration today. We hope that come 2024, when NIST puts a bow on Kyber, we will all have laid the groundwork for a smooth transition to a Post-Quantum Internet.”
The PQC migration is expected to be the big topic of conversation and debate later this month at the IQT Fall Quantum Cybersecurity event in New York City.
Dan O’Shea has covered telecommunications and related topics including semiconductors, sensors, retail systems, digital payments and quantum computing/technology for over 25 years.