PQ CRYPTA
PQ Crypta Achieves Production Post-Quantum TLS Deployment with Hybrid X25519MLKEM768 Key Exchange
PQ Crypta announces successful production deployment of Post-Quantum TLS using OpenSSL 3.5.0 with hybrid X25519MLKEM768 key exchange, achieving quantum-resistant transport layer security across all public endpoints with complete HTTP/3 QUIC support and zero compatibility issues.
The deployment represents a significant milestone in cryptographic security, implementing NIST-approved ML-KEM-768 (Module-Lattice-Based Key Encapsulation Mechanism) in a hybrid configuration with classical X25519 elliptic curve cryptography. This hybrid approach provides defense-in-depth protectionβsecure even if either the classical or post-quantum algorithm is compromised.
Deployment Specifications
| Component | Technology | Status |
|---|---|---|
| OpenSSL Version | 3.5.0 (Released April 8, 2025) | β Production |
| Key Exchange | X25519MLKEM768 (Hybrid) | β Active |
| TLS Protocol | TLS 1.3 | β Enforced |
| Transport Protocol | HTTP/3 over QUIC | β Operational |
| Encryption | AES-256-GCM | β Active |
| Deployment Time | 26 minutes (1 minute downtime) | β Complete |
Technical Achievement
The deployment involved compiling OpenSSL 3.5.0 from source with full ML-KEM support, rebuilding nginx 1.28.0 against the new OpenSSL library, and configuring hybrid key exchange priority:
- Primary: X25519MLKEM768 (hybrid post-quantum) for modern browsers
- Fallback: X25519 (classical ECDHE) for legacy browser compatibility
- Final Fallback: NIST P-256 for maximum compatibility
This prioritization ensures maximum quantum protection while maintaining universal browser support with zero breaking changes.
Browser Compatibility
Modern Browsers with PQ TLS Support:
- Chrome 124+ Desktop (X25519MLKEM768 enabled by default)
- Firefox Latest (X25519MLKEM768 support as of August 2025)
- Edge 124+ (Chromium-based, full support)
- Brave (Chromium-based, full support)
Legacy Browsers: Automatically fall back to classical X25519 with no user impact. All browsers remain fully functional with zero compatibility issues.
Hybrid Key Exchange Advantages
The X25519MLKEM768 hybrid approach combines classical and post-quantum cryptography in a single key exchange:
- Quantum Resistance: ML-KEM-768 provides security against quantum computer attacks
- Classical Security: X25519 provides 128-bit security against classical attacks
- Defense in Depth: Protected if either algorithm remains secure
- Future-Proof: Ready for quantum computing era while maintaining current security
- NIST Approved: ML-KEM standardized as FIPS 203 in August 2024
The deployment provides complete end-to-end quantum resistance by combining transport-layer protection (TLS with X25519MLKEM768) with application-layer post-quantum cryptography (ML-KEM-1024, ML-DSA-87, SLH-DSA). This multi-layer approach ensures quantum resistance at every point in the data lifecycle.
Performance Impact
| Metric | Classical (X25519) | Hybrid (X25519MLKEM768) |
|---|---|---|
| Handshake Time | ~1ms | ~2-3ms |
| Key Exchange Size | 32 bytes | ~2,304 bytes |
| Session Resumption | Supported | Fully Compatible |
| User-Visible Impact | N/A | None |
Verification & Testing
All systems have been verified operational:
- OpenSSL 3.5.0 Confirmed: nginx built with OpenSSL 3.5.0 (April 8, 2025)
- ML-KEM Algorithms Available: ML-KEM-512, ML-KEM-768, ML-KEM-1024 verified
- Hybrid Groups Active: X25519MLKEM768, X448MLKEM1024, SecP256r1MLKEM768
- Sites Accessible: https://pqcrypta.com (HTTP/2 200 β )
- API Operational: https://api.pqcrypta.com (HTTP/2 200 β )
- HTTP/3 QUIC Active: Alt-Svc headers confirming QUIC on port 443
The deployment positions PQ Crypta among the earliest production implementations of post-quantum TLS globally, utilizing NIST-standardized algorithms in a real-world environment with full HTTP/3 QUIC support and modern web standards compliance.
Security Guarantees
- Harvest Now, Decrypt Later Protection: Traffic encrypted today remains secure against future quantum computers
- Hybrid Security Model: Protected if either X25519 or ML-KEM-768 remains unbroken
- NIST Compliance: ML-KEM-768 approved as FIPS 203 standard
- Forward Secrecy: TLS 1.3 session keys provide perfect forward secrecy
- Transport + Application: Dual-layer quantum resistance across all data flows
About PQ Crypta
PQ Crypta is a quantum-resistant cryptographic security platform implementing NIST-standardized post-quantum algorithms including ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). The platform provides comprehensive quantum-resistant encryption, digital signatures, and key encapsulation for organizations preparing for the quantum computing era.
For more information, visit https://pqcrypta.com or contact Allan Riddel at contact@pqcrypta.com.