Context
Per Ahmed et al. 2025 survey (Section 5.8, 6), hybrid X25519+ML-KEM is already deployed at scale by Chrome (BoringSSL) and Cloudflare. Sosnowski et al. (2023) measured that hybrid PQC TLS "can be as fast or faster than classical TLS" with no user-noticeable overhead.
QSCG currently has protocol sketches in quantum_safe_crypto/protocols/ but no production-ready hybrid key exchange implementation.
References
- IETF draft: Hybrid PQ Key Exchange in TLS 1.3 (X25519Kyber768)
- Google Chrome Security Blog, Sept 2024: "A new path for Kyber on the web"
- Cloudflare blog, Sept 2023: PQ crypto to origin servers
- Section 6 (Web and Internet Security) in the survey
Acceptance Criteria
Priority
High — HNDL (Harvest Now Decrypt Later) protection for TLS traffic
Context
Per Ahmed et al. 2025 survey (Section 5.8, 6), hybrid X25519+ML-KEM is already deployed at scale by Chrome (BoringSSL) and Cloudflare. Sosnowski et al. (2023) measured that hybrid PQC TLS "can be as fast or faster than classical TLS" with no user-noticeable overhead.
QSCG currently has protocol sketches in quantum_safe_crypto/protocols/ but no production-ready hybrid key exchange implementation.
References
Acceptance Criteria
Priority
High — HNDL (Harvest Now Decrypt Later) protection for TLS traffic