Post-Quantum Readiness in the Fortune 1000: Are Enterprises Prepared?

Read full article here:  https://trustfour.com/current-state-of-transport-layer-security-tls-post-quantum-cryptography/?source=nhimg

In May 2024, TrustFour conducted a TLS scan across all externally facing Fortune 1000 domains to assess their readiness for post-quantum cryptography (PQC). The results revealed only 177 domains supporting the hybrid X25519_Kyber76 cipher suite—the sole draft IETF standard currently available for TLS hybrid post-quantum key exchange. No other PQC algorithms were supported across the dataset.

TrustFour will continue publishing these readiness benchmarks quarterly, providing visibility into industry adoption and tracking progress over time.

The Quantum Threat to TLS

Quantum computing threatens the foundations of today’s TLS security by breaking classical algorithms:

• Key Exchange: RSA and ECC could be broken via Shor’s algorithm.
• Digital Signatures: Forgery of RSA/ECC-based credentials becomes feasible.
• Session Security: Adversaries can exploit “capture now, decrypt later” tactics, storing encrypted traffic today and decrypting it once quantum computers mature.

While symmetric algorithms like AES remain relatively secure, they will require longer key lengths for adequate protection in the post-quantum era.

Current State of PQC Standards

The IETF draft for X25519_Kyber768 introduces a hybrid model, combining classical and lattice-based (Kyber) cryptography for resilience. Key developments:

• Libraries: OpenSSL, BoringSSL, and WolfSSL are incorporating hybrid PQ-TLS support.
• Browsers: Chrome, Firefox, and Safari are rolling out experimental and beta support, pending IETF standardization.

This hybrid approach ensures secure transitions: if one algorithm is broken, the other maintains protection.

Performance Considerations

Implementing PQC introduces trade-offs:

• CPU Usage: Kyber768 requires millions of CPU cycles per operation, far higher than X25519.
• Data Sizes: Kyber768 keys and ciphertexts exceed 1 KB, compared to 32 bytes in X25519, impacting bandwidth and session setup speeds.
• Hardware Acceleration: Current CPUs lack built-in support for PQC, increasing overhead until accelerators mature.

NIST’s December 2023 study on PQC migrations confirms these computational challenges, while reinforcing the urgency to prepare.

Key Findings from the Fortune 1000 Scan

• 177/1000 domains support hybrid PQ-TLS (X25519_Kyber76).
• 0 domains support other PQC algorithms tested (Kyber512, Kyber768, Kyber1024, etc.).
• Adoption gap underscores slow industry readiness, despite looming risks.

Why It Matters

Post-quantum readiness is no longer theoretical—it’s a business resilience requirement. Organizations must prioritize:

1. Crypto-Agility – centralize and automate cryptographic policy enforcement to enable fast adoption of new standards.
2. TLS Compliance Testing – continuously validate configurations against PQ-TLS readiness benchmarks.
3. mTLS & Workload Segmentation – ensure workload-to-workload encryption and authentication are post-quantum adaptable.

Conclusion

The Fortune 1000 are largely unprepared for a quantum-enabled threat landscape. With adversaries already engaging in capture now, decrypt later strategies, organizations must accelerate PQC adoption.

TrustFour’s quarterly benchmarking, TLS compliance tools, and centralized crypto-agility platform provide enterprises with the visibility and operational resilience needed to make a secure and seamless transition into the post-quantum era.