CECPQ2

In cryptography, Combined Elliptic-Curve and Post-Quantum 2 (CECPQ2) is a quantum secure modification to Transport Layer Security (TLS) 1.3 developed by Google. It is intended to be used experimentally, to help evaluate the performance of post quantum key-exchange algorithms on actual users' devices.

Details
Similarly to its predecessor CECPQ1, CECPQ2 aims to provide confidentiality against an attacker with a large scale quantum computer. It is essentially a plugin for the TLS key-agreement part. CECPQ2 combines two key exchange mechanisms: the classical X25519 and HRSS (Hülsing, Rijneveld, Schanck, and Schwabe) scheme (an instantiation of the NTRU lattice based key exchange primitive). Additionally, Kris Kwiatkowski has implemented and deployed an alternative version of post-quantum key exchange algorithm, titled CECPQ2b. Similarly to CECPQ2, this is also a hybrid post-quantum key exchange scheme, that is based on supersingular isogeny key exchange (SIKE) instead of HRSS.

CECPQ2 uses 32 bytes of shared secret material derived from the classical X25519 mechanism, and 32 bytes of shared secret material derived from the quantum-secure HRSS mechanism. The resulting bytes are concatenated and used as secret key. Concatenation is meant to assure that the protocol provides at least the same security level as widely used X25519, should HRSS be found insecure.

The algorithm was to be deployed on both the server side using Cloudflare's infrastructure, and the client side using Google Chrome Canary. Since both parties need to support the algorithm for it to be chosen, this experiment is available only to Chrome Canary users accessing websites hosted by Cloudflare.

It was estimated that the experiment started mid-2019. It was considered a step in a general program at Cloudflare to transition to post-quantum safe cryptographic primitives.

Support for CECPQ2 was removed from BoringSSL in April 2023.