Key insight

Almost every hop in an agent system opens a TLS session, and TLS key exchange is exactly what quantum breaks. The fix is already shippable: hybrid key exchange (X25519MLKEM768) is on by default in current browsers and supported across the major TLS libraries. The real work is operational — the extra ~1–2 KB per handshake bites a chatty agent mesh, so migrate key exchange first, lean on connection reuse, and move certificate signatures on a slower clock.

In one sentence

Turn on hybrid post-quantum TLS at the edge today, handshake less on the chatty internal hops, and migrate certificate signatures later — because key exchange is the part quantum harvests now.

The channel map

Before you can secure the transport, you have to see it. An agent system opens far more sessions than a typical web app, and they are easy to miss because most are machine-to-machine and never touch a browser. Every one of these hops is a TLS session with a key exchange, a certificate, and often a signed token:

HopWhat opens the sessionCrypto on the wire
Client → gatewayA user or app reaching the orchestrator’s public endpointTLS handshake + server certificate
Orchestrator → sub-agentFan-out to specialised agents, often across services or clustersTLS + mutual certs or signed tokens
Agent → tool / APIFunction calls to internal and third-party APIsTLS + API tokens (RSA/ECDSA-signed)
Agent → model endpointInference calls to a hosted or self-run modelTLS + bearer token
Agent → MCP serverTool/resource discovery and invocation over remote MCPTLS (HTTP/SSE transport) + auth

The pattern that makes AI different is fan-out and frequency. A single user request can trigger dozens of downstream sessions, and a long-running agent loop re-opens them constantly. That density is what turns a per-handshake cost into a system-level one — the point we return to in the cost section.

Where the key exchange and signatures live on an agent hop A single agent-to-tool TLS session broken into its cryptographic parts: an ephemeral key exchange that establishes the session key, a certificate that proves identity, and a signed token that carries authorisation. Agent (client) Tool / model (server) Key exchange — ECDH → ML-KEM (hybrid) harvest-now-decrypt-later target — migrate FIRST Certificate + token signatures — RSA/ECDSA → ML-DSA forgery risk, not harvest — slower, planned clock
One hop, two clocks: the key exchange is harvested now, so it migrates first; signatures are only useful in the moment, so they move on a slower schedule.

What is shippable today

The most important thing to know is that this is no longer a waiting game for the key-exchange half. Hybrid key exchange — running a classical algorithm and a post-quantum one together so the session is safe if either holds — is already deployed at internet scale. The concrete name to look for is X25519MLKEM768: the X25519 elliptic curve run alongside ML-KEM-768.

WhereStatus
Chrome & Edge, FirefoxX25519MLKEM768 enabled by default for TLS 1.3
OpenSSL 3.5Ships ML-KEM and the hybrid groups natively
Go (crypto/tls)X25519MLKEM768 supported and preferred automatically
AWS-LC, BoringSSLHybrid key exchange supported
Cloudflare & major CDNsTerminate hybrid TLS at the edge

For an AI control plane, that coverage maps directly onto the channel map. Any hop that terminates TLS at a modern proxy, gateway, or CDN — and any hop between services written in Go or linked against OpenSSL 3.5 — can negotiate a quantum-safe key exchange today with a configuration change. The remaining gaps are usually older runtimes and language TLS stacks that have not yet shipped the hybrid groups; those are the ones to inventory and track, not to block the whole migration on.

Why hybrid, not pure ML-KEM, for now: lattice cryptography is young in production. Running the classical curve alongside it means a future weakness in either primitive still leaves the session protected by the other. It is the same “belt and braces” logic used everywhere in this guide — you get post-quantum protection now without betting the channel on a single new algorithm.

The real cost: a chatty mesh

Hybrid key exchange is not free, and the cost lands in a place that matters more for agents than for web pages. An X25519 key share is 32 bytes; an ML-KEM-768 public key is about 1,184 bytes and its ciphertext about 1,088 bytes. So a hybrid handshake carries roughly one to two kilobytes of extra key material per connection, split across the client and server messages.

On a single page load that is invisible. On a mesh it compounds, for three reasons specific to agent systems:

The fix is not to avoid post-quantum crypto — it is to handshake less. Every technique that reduces full handshakes pays for itself twice over once the handshake is heavier:

LeverEffect
Connection pooling / keep-aliveReuse one session for many tool calls instead of one per call
TLS 1.3 session resumption (PSK)Resumed sessions skip the key exchange entirely — no ML-KEM cost
HTTP/2 or HTTP/3 multiplexingMany concurrent requests share a single handshake
Long-lived sidecar / mesh connectionsThe proxy handshakes once and carries east-west traffic over it

The practical move is to inventory which hops actually re-handshake per call before optimising anything. In most meshes a handful of short-lived, high-frequency edges dominate the cost; fix those with pooling and resumption and the extra kilobyte becomes a rounding error.

Key exchange first, signatures later

The single most useful sequencing rule is that a TLS session has two kinds of public-key crypto on two different clocks, and they do not migrate together.

Key exchange (ECDH → ML-KEM)Signatures (RSA/ECDSA → ML-DSA)
What it doesAgrees the session’s secret keyProves identity (certs) and authorises (tokens)
Quantum exposureHarvest-now-decrypt-later — recorded today, broken laterForgery only — useful in the moment, not by harvesting
UrgencyNow — the recorded traffic is already at riskPlanned — before quantum arrives, not before it is recorded
Size impact~1–2 KB per handshakeMuch larger: ML-DSA-65 signatures are ~3.3 KB vs ~64 bytes for ECDSA

This is harvest-now-decrypt-later applied to your control plane. An eavesdropper who records a classical key exchange between two agents today can recover that session key once a quantum computer exists, and then read everything the session carried — prompts, tool outputs, retrieved documents. That is why key exchange is the emergency. A signature, by contrast, is only useful while it is being verified; a certificate forged in 2035 does nothing to traffic captured in 2026. Post-quantum signatures are also much larger, which balloons certificate chains and token sizes, so there is a real engineering cost to rushing them.

The exception worth calling out: long-lived roots of trust. A root CA certificate, a firmware-signing key, or a model-signing root that must stay valid for ten to fifteen years is effectively harvested too — an attacker who can forge it in the future can undermine everything chained under it. Those move to conservative, hash-based SLH-DSA on a nearer horizon. Leaf certs and short-lived tokens can wait for ML-DSA to settle. Provenance signatures for models are their own topic — see Signing Models & the MLBOM.

A concrete rollout order

Put the pieces together and the migration has an obvious shape: start where one change covers the most hops and the crypto libraries are already ready, then work inward to the chatty edges.

StepDo thisWhy here
1 · EdgeEnable hybrid TLS on the public gateway / CDN / load balancer that terminates TLSOne config change covers every external client; the edge already supports it
2 · MeshTurn on hybrid in the service mesh / sidecar for internal service-to-service TLSCentralised — the proxy negotiates it; long-lived connections amortise the cost
3 · East-westEnable it on direct agent→agent, agent→tool and agent→MCP callsThe chattiest layer — pair with pooling and resumption so the handshake tax is bounded
4 · SignaturesPlan the move of long-lived roots to SLH-DSA; track ML-DSA for leaf certs and tokensDifferent clock — forgery risk, larger artifacts, no harvesting emergency

Every step above is a configuration or platform choice, not a rewrite — if your services choose their TLS parameters from configuration rather than hard-coding a cipher suite. That is exactly the crypto-agility the assessment part argued for, and the same abstraction discipline AI engineers already apply to models. A team that can point a service at a new key-exchange group without touching application code has already done the hard part.

Finally, make the change observable. Log the negotiated key-exchange group on every connection and chart the share of traffic that is hybrid. A migration you cannot measure is a migration you cannot finish — and “percent of agent hops on X25519MLKEM768” is exactly the kind of line that belongs on the readiness dashboard.

Hybrid
Running a classical key exchange and a post-quantum one together (e.g. X25519 + ML-KEM) so the session is secure if either one survives.
X25519MLKEM768
The TLS 1.3 hybrid key-exchange group pairing the X25519 elliptic curve with ML-KEM-768; enabled by default in current browsers.
TLS
Transport Layer Security — the protocol securing almost every agent, tool, and model connection; its key exchange is what quantum breaks.
Key exchange
The step that agrees a session’s secret key; the harvest-now-decrypt-later target, so it migrates first.
Session resumption
Reusing a previously negotiated TLS secret (a pre-shared key) so a reconnect skips the expensive key exchange entirely.
MCP
Model Context Protocol — how agents reach tools and model endpoints; remote MCP rides on TLS like any other channel.
PKI
Public-Key Infrastructure — the certificates and authorities that prove which service is which; its signatures migrate on the slower clock.
ML-KEM
The post-quantum key-encapsulation standard (FIPS 203) that replaces classical key exchange.
ML-DSA / SLH-DSA
The post-quantum signature standards (FIPS 204 / 205); SLH-DSA is the conservative, hash-based choice for the longest-lived roots of trust.
HNDL (harvest now, decrypt later)
Recording encrypted traffic today to decrypt once a quantum computer exists — the reason key exchange is urgent.

What to carry forward

Next in The AI Frontier: once the channels are safe, prove the artifacts are authentic — Signing Models & the MLBOM →. Or return to the Quantum-Safe AI capstone, or the full series.

Understand it in your own words

Paste into any AI assistant to check yourself:

I'm making the transport under an agent system quantum-safe. Quiz me one
question at a time, correcting me gently:

1. Which hops in an agent system open a TLS session, and why are there
   more of them than in a typical web app?
2. What is X25519MLKEM768, and where is it already deployable today?
3. Why does the ~1-2 KB hybrid handshake cost matter more for a chatty
   agent mesh than for a web page, and what reduces it?
4. Why does key exchange migrate before certificate signatures?
5. What is a sensible rollout order, and what would you measure?

References & further reading

  1. NIST, FIPS 203 (ML-KEM). csrc.nist.gov/pubs/fips/203
  2. IETF, Hybrid key exchange in TLS 1.3 & the X25519MLKEM768 group. datatracker.ietf.org — tls-hybrid-design
  3. Cloudflare, The state of the post-quantum internet. blog.cloudflare.com/pq-2024
  4. OpenSSL, 3.5 release notes (ML-KEM & hybrid groups). openssl-library.org — 3.5 notes
  5. Model Context Protocol, specification (transport). modelcontextprotocol.io