Cloudflare's Quantum Leap: 35% of Traffic Now PQC-Protected
Cloudflare deployed hybrid X25519+ML-KEM on TLS 1.3, protecting ~35% of human traffic and expanding PQC from edge to origin.
Post-quantum cryptography at scale is no longer hypothetical. Cloudflare has deployed hybrid post-quantum key exchange across its global network, running X25519+ML-KEM hybrid key agreement groups on TLS 1.3. That means a large share of the world’s web traffic now has protection against “harvest now, decrypt later” attacks, where someone captures encrypted data today and waits for quantum computers to crack it later.
This is one of the largest real-world post-quantum rollouts to date. It shows that organizations don’t need to wait for quantum computers to start protecting against them.
TL;DR: Cloudflare has shown that hybrid post-quantum TLS works at internet scale today. That makes PQC migration a live operational rollout question, not a distant research project.
Sources:
- Cloudflare PQ Announcement: https://blog.cloudflare.com/post-quantum-for-all/
- ML-KEM Standardization (formerly Kyber): NIST FIPS 203 (2024)
- NIST PQC Program: https://csrc.nist.gov/projects/post-quantum-cryptography
Why this deployment matters
The cryptography community has known for over a decade that classical elliptic curve Diffie-Hellman (ECDHE), the standard way to establish shared secrets during TLS handshakes, will be breakable by quantum computers running Shor’s algorithm. Once broken, any encrypted sessions recorded today could be decrypted retroactively.
Hybrid TLS key agreement addresses this by combining two components:
- A classical key exchange (X25519 or SecP256r1)
- A quantum-resistant lattice-based KEM (ML-KEM-768)
The resulting shared secret stays secure as long as at least one of those components holds up. It’s a belt-and-suspenders approach: you keep compatibility with existing TLS stacks, avoid breaking legacy clients, and add quantum resistance on top of classical assurance.
The edge as deployment advantage
Because Cloudflare operates a global edge network, it can upgrade security at the boundary where client connections first terminate. This gives it two practical advantages:
-
Clients don’t need immediate updates. If a client supports hybrid KEM, it gets used. If not, classical ECDHE fallback keeps things working.
-
Changes scale instantly. A single update at the edge applies to millions of hostnames worldwide.
Cloudflare is now extending hybrid PQ protection beyond the edge to cover internal data center communication and the final hop to origin servers. The result is end-to-end PQ-safe tunnels, not just encryption at the perimeter.
Reference: https://pq.cloudflareresearch.com
Deployment lessons for enterprises
Cloudflare’s approach offers a useful model: transition gradually with hybrid key exchange rather than ripping out classical cryptography all at once.
Step 1: Figure out where you stand
Get visibility into what your infrastructure currently supports:
| Task | Tool | Output |
|---|---|---|
| Quick PQ readiness check | QCready | detects hybrid KEM support on public endpoints |
| Full TLS environment survey | SSLboard | cipher suite inventory, versioning, weak endpoints, upgrade map |
Step 2: Enable hybrid KEMs where you can
- Start with X25519+ML-KEM-768
- Keep classical ECDHE fallback in place
- Watch for handshake failures and TLS alerts (usually from legacy or embedded clients)
Step 3: Expand coverage incrementally
- External perimeter, then internal services, then mobile/embedded client apps, then origin infrastructure
This phased approach mirrors how Cloudflare rolled it out, and it reduces operational risk at each step.
What this means
Quantum-safe TLS is not a future upgrade. It’s something you can deploy today.
The gap between “secure now and later” versus “secure only until quantum arrives” is already factoring into risk models across finance, healthcare, government, cloud platforms, and SaaS.
What Cloudflare’s deployment demonstrates: quantum-resistant cryptography works in production, hybrid TLS scales globally without breaking compatibility, and organizations can start the transition now without service disruption.
Those who adopt hybrid TLS now preserve the confidentiality of today’s traffic against tomorrow’s quantum computers. Those who wait are gambling that their encrypted data won’t be worth decrypting later.