Cloud & SQLSailor

Cloud, Databases & Beyond!

,

Post-quantum key exchange – Insurance policy for your packets


2–3 minutes

AWS recently added support for Post-Quantum Key Exchange for TLS in Application Load Balancer (ALB) and Network Load Balancer(NLB). And, our good friend S3 now supports post-quantum TLS key exchange on S3 endpoints as well. So, why is this a big deal now? Lets dive a little deep.

Post-quantum key exchange is about upgrading how the internet agrees on encryption keys so your data stays confidential even in a future where large quantum computers exist. Think of it as replacing the lock on your front door before burglars invent a new skeleton key.

Why this matter now?

Quantum computing threatens the key exchange part of TLS, not just the bulk encryption.​ Many attackers are already in “harvest now, decrypt later” mode: they record encrypted traffic today, planning to decrypt it once quantum machines are good enough.

  • Long‑lived data is at risk: medical records, intellectual property, financial histories, government workloads and many more.​
  • Once quantum machines arrive, anything protected only by traditional key exchange (like RSA or classical ECDHE) could be retroactively unlocked.

So when AWS adds post-quantum key exchange to S3 and Load Balancers, it is not a “nice to have”; it is a time machine insurance policy for your packets.

Traditional TLS key exchange (and its problem)

Today, most TLS handshakes use:

  • RSA key exchange (older) or
  • Elliptic Curve Diffie–Hellman (ECDHE) key exchange (modern default)

They are secure against classical computers, but large-scale quantum computers running Shor’s algorithm could solve the underlying math problems efficiently, breaking the secrecy of those negotiated keys.

In practical terms:

  • An eavesdropper who records your TLS sessions today could, in the future, compute the session keys and decrypt the full traffic.
  • Forward secrecy against classical adversaries does not guarantee secrecy against future quantum adversaries.

It is like whispering secrets in a language that is hard today but will be on Google Translate in 10 years.

Post-quantum key exchange

Post-quantum cryptography uses new math problems believed to be hard even for quantum computers.​ ​

The AWS announcements use:

  • ML‑KEM, a NIST-standardized lattice-based Key Encapsulation Mechanism, for post-quantum TLS key exchange.
  • PQ‑TLS security policies that combine classical key exchange with ML‑KEM (hybrid mode) on ALB/NLB, and ML‑KEM support on all regional S3, S3 Tables, and S3 Express One Zone endpoints.

Hybrid key exchange is basically: “Use the old key exchange and the new PQ key encapsulation; the connection is only broken if both are broken.” It is cryptographic belt and suspenders.

As a bonus, you get to tell your security team: “Yes, we’re using NIST‑standardized post‑quantum algorithms in production,” which sounds way cooler than “we’ll figure it out later.”

Want to learn more, you can read the AWS announcements for ALB/NLB and S3.

Leave a comment

Explore