What is Post-Quantum Readiness?
Post-quantum cryptography (PQC) refers to cryptographic algorithms that remain secure even against quantum computers. NIST standardized ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+) in August 2024.
A fully quantum-ready domain uses TLS 1.3 with hybrid key exchange — combining a classical algorithm (X25519) with a post-quantum algorithm (ML-KEM) in the same handshake. This is already deployed by Cloudflare, Google Chrome, and AWS.
What This Tool Checks
| Check | What we test | Why it matters |
|---|
| TLS Version | TLS 1.3 vs 1.2 vs older | TLS 1.3 required for PQ hybrid key exchange |
| Cipher Suite | AES-256-GCM, ChaCha20, weak ciphers | Weak ciphers compromise session security |
| Perfect Forward Secrecy | ECDHE / DHE key exchange | Ensures past sessions can't be decrypted later |
| Certificate | Algorithm, key size, signature type | RSA 2048 will be vulnerable to quantum computers |
| Certificate Expiry | Days until expiry | Expired certs break HTTPS and user trust |
| PQ Key Exchange | X25519MLKEM768, p256_kyber768 | The core post-quantum readiness check |
How the Score Works
| Score | Grade | Meaning |
|---|
| 70 – 100 | Ready | Strong TLS with PQ elements in place |
| 40 – 69 | Partial | Good baseline security but not quantum-ready |
| 0 – 39 | Not Ready | Significant gaps — action required |
PQ Migration Timeline
| Period | Recommended Action |
|---|
| Now | Enable TLS 1.3, disable weak ciphers, upgrade to ECC certificates |
| 2025 – 2027 | Deploy hybrid PQ key exchange (X25519MLKEM768) |
| 2028 – 2030 | Migrate certificates to ML-DSA (Dilithium) or SLH-DSA (SPHINCS+) |
| 2030+ | Full PQC-only deployment across all systems |
References
- FIPS 203: ML-KEM Standard — NIST (2024)
- FIPS 204: ML-DSA Standard — NIST (2024)
- FIPS 205: SLH-DSA Standard — NIST (2024)
- NIST Post-Quantum Cryptography Project
- Cloudflare: Post-Quantum for All
