Post-quantum cryptography

The encryption that protects communications between browsers, APIs, and origin servers today is based on algorithms such as RSA and Elliptic Curve Cryptography (ECC), which are secure for traditional computing but vulnerable to the development of large-scale quantum computers that will have enough power to break them.

If your traffic is not protected with post-quantum cryptography, the confidentiality of those communications is already compromised in the long term.

What is PQC?

Use case

The problem:

Harvest now, decrypt later (HNDL) attacks no longer require a quantum computer. A malicious actor can intercept and store encrypted traffic (API requests, authentication tokens, or sensitive data in transit) and wait until they have the computational power to decrypt it. For critical data with a long lifespan, such as financial information, medical records, or login credentials, this vulnerability is already present.

The National Institute of Standards and Technology (NIST) published the first post-quantum cryptography standards in August 2024: ML-KEM for key agreements, and ML-DSA and SLH-DSA for digital signatures. It has also set 2030 as the deadline for deprecating RSA and ECC.

Transparent Edge’s response:

Transparent Edge implements post-quantum encryption at the transport layer to secure communications between the user’s browser and your infrastructure, without requiring you to modify your origin servers or your application.

Deployment of protection strategy:

Hybrid key exchange: Transparent Edge establishes the TLS 1.3 handshake using ML-KEM in combination with classic ECDHE. The session key is derived from the most secure algorithm supported by the client, ensuring a secure connection without breaking compatibility with older devices.
Edge-to-browser coverage:PQC encryption is applied to the connection between the client (browser) and the Transparent Edge edge, which is the segment most exposed to traffic capture.
No changes to the origin server: Transparent Edge acts as a TLS proxy. Your origin does not need native ML-KEM support for client-edge traffic to be protected.
Default activation: PQC protection is enabled without additional configuration, following the same principle that has guided the adoption of TLS in the industry: security by default is the only way to protect infrastructure at scale.
Compatibility with major browsers: Chrome, Firefox, and Edge already support ML-KEM, which means that the percentage of actual traffic protected is significant. desde el primer día.

Protection against HNDL

It ensures that data intercepted today remains unreadable to future quantum decryption capabilities.

Frictionless operation

It does not require dedicated physical connectivity between client and server. PQC runs on the existing network infrastructure without the need for specialized hardware. The performance impact is minimal, even on short-lived TLS connections.

Early regulatory compliance

Alignment with future guidelines from organizations like NIST and government agencies that already require quantum migration plans. Adopting ML-KEM now positions your infrastructure to meet the requirements that will be mandatory in the coming years.

Talk to an expert

What does Transparent Edge offer to encourage PQC adoption?

Advanced protection layer

Our clients gain an advanced layer of protection without impacting the operation of their services. By delegating encryption management to our distributed network, clients avoid the technical complexity of reconfiguring their origin servers or updating critical cryptographic libraries.

La ventaja principal es la garantía de que sus activos digitales y la privacidad de sus usuarios están protegidos contra la obsolescencia tecnológica de los sistemas de cifrado actuales.

How is it activated and what is the cost?

Post-quantum cryptography support is enabled by default for all traffic using TLS 1.3 and compatible browsers (such as recent versions of Chrome, Firefox, or Edge). No manual intervention or additional configuration is required. This functionality is integrated as a security standard across all our services, so there is no additional cost.