Post-quantum Cryptography Comes to A10 SSL/TLS Data Plane
Hybrid KEM Support in ACOS 7.0.3
The U.S. National Institute of Standards and Technology finalized its first post-quantum cryptographic standards in 2024. While large-scale, cryptographically relevant quantum computers may still be years away, the security decisions we make today must account for tomorrow’s threats. One of the most serious cyber threats is “harvest now, decrypt later,” where encrypted traffic is captured today and stored for future decryption. This risk arises because current public-key cryptography can be broken by future quantum computers. Post-quantum cryptography and hybrid key exchange are required now to ensure long-term data confidentiality.
To address this reality, we are launching a software platform built from the ground up around the NIST-standardized post-quantum algorithm, hybrid post-quantum cryptography (PQC) support in Advanced Core Operating System (ACOS) 7.0.3, enabling customers to begin their PQC transition now, without waiting for new hardware or ecosystem maturity.
Why Post-quantum Cryptography Matters Now
Conventional public‑key cryptography relies on mathematical problems that are difficult for classical computers to solve but are expected to become vulnerable with the rise of quantum computing—putting widely used algorithms such as RSA and elliptic‑curve cryptography at long-term risk.
Post‑quantum cryptography addresses this threat by introducing quantum resistant algorithms designed to protect data against future quantum adversaries.
Rather than abruptly replacing proven cryptographic methods, A10 implements the industry standard which is a hybrid KEM approach, combining classical and post‑quantum algorithms in parallel. With both key exchanges executed simultaneously, an attacker would need to break both to compromise a session.
For SSL/TLS, A10 prioritizes key establishment, as the security of the entire session ultimately depends on the strength of the key exchange. Even the strongest encryption and authentication mechanisms cannot protect a session if the key exchange itself is compromised—making hybrid KEM the most practical and secure first step toward quantum resilience.
PQC Strategy in ACOS 7.0.3
With ACOS 7.0.3, A10 introduces hybrid KEM support in the SSL/TLS data plane using OpenSSL 3.5.
- Post‑quantum Key Exchange: Establishes encryption keys using hybrid mechanisms that pair classical cryptography with postquantum algorithms to remain secure even against future quantum computers.
- Elliptic‑curve Cryptography (Classical Component): Provides proven, efficient cryptographic security today and serves as a trusted component within hybrid post-quantum designs during the transition to quantum‑safe standards.
- Hybrid Key Establishment Algorithms Supported
- X25519 + ML‑KEM‑768
- secp256r1 + ML‑KEM‑768
- secp384r1 + ML‑KEM‑1024
| Client-side SSL (7.0.3) | Server-side SSL (ACOS 7.0.3) |
|---|---|
| PQC enabled by default | Crypto-agile by design using dual-key share model |
Cryptographic preference order:
| Configure both hybrid KEM and legacy groups using same classical curve |
| Auto negotiates the strongest supported group | Back-end servers can select either hybrid or legacy key share during the TLS handshake |
| Administrators can explicitly control behavior using supported-group configuration under SSL template | No additional handshake messages, preserving performance and saving one RTT |
| Operationally simple and transparent to existing clients | Enables seamless coexistence for mixed client/server population during PQC transition |
| Provides immediate PQC protection for inbound TLS | Allows gradual, risk-managed PQC rollout without compatibility penalties |
This enables PQC adoption without new hardware, allowing customers to:
- Begin PQC testing and validation immediately
- Gain operational experience with PQ algorithms
And align with evolving NIST standards while maintaining production safety.
Preparing for a Moving Target—Safely
Post-quantum cryptography is not a single event. It’s a journey. Algorithms will evolve. Standards will change. Some candidates may be deprecated.
A10’s philosophy is simple:
- Start with software
- Adopt hybrid models
- Preserve crypto agility
With software based PQC support in ACOS 7.0.3, A10 customers can confidently begin their post‑quantum journey today—without disrupting existing deployments or betting on unproven assumptions.
