Summer is over for some months on the northern hemisphere, and so is the draft phase of NISTs post-quantum cryptographic standards. Since August 13, 2024, FIPS has standardized Kyber as ML-KEM in FIPS 203 for PQ encryption, Dilithium as ML-DSA and and SPHINCS+ as SLH-DSA in FIPS 204 and FIPS 205, respectively, for PQ digital signatures. Read more on how we at Cryspen are building formally verified implementations of these standards, previously on this blog.

In parallel, the IETF has worked on integrating the new standards, in particular ML-KEM into existing Internet standards. Part of that is standardizing hybrid post-quantum key agreements that can be used in the TLS 1.3 handshake.

After we had previously announced the implementation of a hybrid post-quantum TLS handshake based on Kyber and Curve25519 in Bertie, our minimal, verification-friendly implementation of TLS 1.3, we’re now proud to announce that Bertie supports the standards-based version of that handshake with X25519MLKEM768, which works much the same way as X25519Kyber768Draft00. Other server-side implementations of X25519MLKEM768 include e.g. Cloudflare’s.

Want to check it out for yourself? Grab yourself one of the latest releases of the Firefox (v.132+) or Chrome browsers (v.131+) and head-on over to https://bertie.cryspen.com. If you are greeted by a lovely demo webpage you know that your handshake with our server was secured using the PQ hybrid handshake. Since the server is configured to only serve with a PQ ciphersuite, if your browser does not support the PQ handshake, the server will not respond, and the page will appear unresponsive.