Last week’s hot topic was the successful acquisition of the IANA (Internet Assigned Numbers Authority) officially assigned number – 4590 for the post-quantum cryptography hybrid algorithm SM2MLKEM768 by the Zero Trust Browser in collaboration with Alibaba Tonglock SSL. Both the Tonglock cryptography open-source project public account and the Zero Trust Cryptography Application Research Institute public account received a large number of views, shares, and likes, as well as some skepticism. The author recognizes that the popular science of HTTPS encryption is still insufficient, so today we will continue to popularize this knowledge, which is beneficial for promoting the application of HTTPS encryption in our country and ensuring the security of internet data transmission in China.
1
What is an Adaptive Algorithm?
The author has already explained the most “star-level” parameter in the TLS protocol – the TLS cipher suite in last week’s blog post “Interpreting SM2MLKEM768 = 4590”: this is the “recipe book” for TLS encryption, defining the specific “recipe” for encrypted communication: what algorithms to use for key exchange, data encryption, and integrity verification. The registry lists hundreds of suites, from the outdated and disabled “TLS_RSA_WITH_RC4_128_MD5” (value 0x0004) to the modern “TLS_AES_128_GCM_SHA256” (value 0x1301). Why set these parameters? Because encryption algorithms are evolving rapidly, early ones like MD5 have been proven insecure (easily cracked), so IANA standardizes them through expert review, marking them as “recommended” (Y), “not recommended” (N), or “deprecated” (D) to prevent developers from misusing weak suites. This ensures a security baseline for global TLS encryption implementations. What is its purpose? When a browser accesses a website, the browser and server negotiate a cipher suite through the “ClientHello” message. If the negotiation fails, a secure connection cannot be established.
The keyword is “handshake negotiation”; this is the implementation process of an adaptive cipher algorithm, where the browser and server negotiate the most secure cipher suite and protocol that both support to implement HTTPS encryption. In other words: if the browser supports the SM2 algorithm and the web server also supports it, then they will use the SM2 algorithm to implement HTTPS encryption; if the web server does not support the SM2 algorithm, then they will use the international RSA or ECC algorithm to implement HTTPS encryption. Therefore, it can be understood that the national cryptography transformation plan requires the simultaneous application and deployment of national cryptography SSL certificates, upgrading the web server to support national cryptography algorithms, and using browsers that support national cryptography algorithms, or purchasing SSL gateways that support national cryptography algorithms, so that the web server does not need to be transformed.
2
What is an Adaptive PQC Algorithm?
For post-quantum cryptography (PQC) algorithm HTTPS encryption, both the browser and web server must support the PQC algorithm to achieve PQC algorithm HTTPS encryption. Currently, the internationally accepted solution is a hybrid algorithm that combines traditional cryptographic algorithms (X25519) and post-quantum cryptographic algorithms (MLKEM768) for HTTPS encryption. The benefit is that the traditional cryptographic algorithm SSL certificates deployed on the website can still be used; only during the key encapsulation phase is a hybrid shared key generated: one shared key based on X25519 and one quantum-safe shared key based on ML-KEM, which are directly concatenated to form a new shared key, achieving key protection with post-quantum cryptography. This method achieves maximum compatibility; browsers that do not support the PQC algorithm use the X25519 algorithm, while browsers that support the PQC algorithm use the MLKEM768 algorithm. This is the adaptive algorithm approach to achieve post-quantum cryptography HTTPS encryption, which has become the mainstream solution in the global industry. Currently, 51% of global internet traffic uses this hybrid algorithm post-quantum cryptography HTTPS encryption, ensuring that online privacy data can withstand the “future quantum test.”

Tonglock SSL and the Zero Trust Browser have also referenced this international solution. In the absence of a post-quantum cryptography algorithm in our country, they have adopted the SM2 algorithm and the post-quantum cryptography algorithm MLKEM768 to implement hybrid algorithm key encapsulation for HTTPS encryption. This hybrid algorithm is SM2MLKEM768, with the IANA assigned number 4590. As shown in the left image, IANA has already assigned four numbers for traditional cryptographic algorithms and post-quantum cryptography hybrid algorithms: 4587, 4588, 4589, and 4590. The first three traditional cryptographic algorithms are the international ECC algorithm SecP256r1, X25519, SecP384r1, and the fourth is our country’s commercial cryptographic algorithm SM2; three of these four hybrid algorithms use the MLKEM768 algorithm because this algorithm has a moderate key length and sufficient encryption strength. With this number included in the international standard system, global browsers can adopt SM2MLKEM768 to implement hybrid PQC algorithm HTTPS encryption.

As shown in the right image, the SM2 algorithm + PQC algorithm HTTPS encryption implemented by the Zero Trust Browser uses the SM2MLKEM768 algorithm, generating a hybrid key during the key encapsulation phase: one shared key based on SM2 and one quantum-safe shared key based on MLKEM768, which are directly concatenated to form a new shared key, achieving key protection with post-quantum cryptography. This method achieves maximum compatibility; browsers that do not support the PQC algorithm use the SM2 algorithm, while browsers that support the PQC algorithm use the MLKEM768 algorithm. This is the adaptive algorithm approach to achieve post-quantum cryptography HTTPS encryption, which is currently the best commercial cryptography transformation and post-quantum cryptography migration solution. It is not the case that some “experts” worry about not using compliant commercial cryptography algorithms; this is a more secure HTTPS encryption than using only the SM2 algorithm, adding an extra layer of security to ensure that data encrypted with the SM2 algorithm remains secure in the quantum era. Of course, when our country’s post-quantum cryptography algorithm is released in the future, it will only require a simple replacement of MLKEM768 to achieve a hybrid of both algorithms being domestic cryptography algorithms.
To ensure the security of internet data transmission in our country, we cannot wait until the release of the domestic post-quantum cryptography algorithm – the new generation of commercial cryptography – to implement post-quantum cryptography HTTPS encryption. This is because there already exists a security threat of “collecting first and decrypting later”; we must not heed the words of some “experts” who claim that “only the SM2 algorithm can be used, and using the SM2MLKEM768 algorithm is non-compliant.” This is clearly the erroneous thinking of “better to freeze to death than to wear someone else’s cotton pants” and does not conform to the current practice of deploying dual algorithm SSL certificates (RSA/ECC and SM2) for HTTPS encryption applications in our country.
Using the SM2MLKEM768 algorithm is not “non-compliant”; it is compliant, and it is a higher level of compliance – compliance that aligns with the long-term strategic interests of the country. It is a redefinition and expansion of the connotation of “compliance” in the face of new security challenges, actively utilizing global advanced technological achievements while adhering to the fundamental principle of self-control, integrating innovation, and ultimately serving to safeguard national cybersecurity and enhance international influence.
3
What is the Adaptive HTTPS Encryption Algorithm of Zero Trust Technology?
Zero Trust Technology has created a full ecological product for HTTPS encryption, which provides seamless adaptive support for its own ecological HTTPS encryption algorithms. The priority order of the cryptographic algorithms used by the Zero Trust Browser and the Zero Trust National Cryptography HTTPS encryption automation gateway is: (1) Pure domestic PQC algorithm (future), (2) Pure international PQC algorithm (future), (3) SM2 + domestic PQC hybrid algorithm (future), (4) SM2 + PQC hybrid algorithm, (5) ECC + PQC hybrid algorithm, (6) RSA + PQC hybrid algorithm, (7) SM2 algorithm, (8) ECC algorithm, (9) RSA algorithm. This is based on the principle of prioritizing domestic cryptographic algorithms and post-quantum cryptographic algorithms.
Let’s take a look at how the Zero Trust Browser and the Zero Trust National Cryptography HTTPS encryption automation gateway implement this priority for commercial cryptography algorithms and post-quantum cryptography algorithms. As shown in the left image, this bank’s official website supports insecure HTTP plaintext access, and both the Zero Trust Browser and other browsers will prompt “insecure.” As shown in the right image, if accessed via HTTPS, the Zero Trust Browser can display an encrypted lock icon and show the R icon, indicating that the website has deployed an RSA algorithm SSL certificate and uses the RSA algorithm to implement HTTPS encryption.

After deploying the Zero Trust National Cryptography HTTPS encryption automation gateway, the Zero Trust Browser uses the SM2MLKEM768 algorithm to implement post-quantum cryptography HTTPS encryption, and the address bar will display the Q icon. However, other national cryptography browsers that do not support SM2MLKEM768 will use the SM2 algorithm to implement HTTPS encryption when accessing this website. This also indicates that this website is already compliant with commercial cryptography and that it is even more secure by supporting post-quantum cryptography algorithms, indicating that this website has completed the post-quantum migration, ensuring that data encrypted with traditional commercial cryptography algorithms remains secure in the quantum era.

It can be seen that in the case where the Zero Trust Gateway supports PQC algorithms/SM2 algorithms/ECC algorithms/RSA algorithms simultaneously, the Zero Trust Browser prioritizes the use of the PQC algorithm. If the website only supports SM2 and RSA algorithms, the Zero Trust Browser will prioritize the use of the SM2 algorithm. As shown in the left image, Industrial Bank has deployed a dual algorithm (RSA/SM2) SSL certificate and does not support the PQC algorithm, so the Zero Trust Browser uses the SM2 algorithm to implement HTTPS encryption. Meanwhile, the Google Browser, which does not support the SM2 algorithm, uses the RSA algorithm, as shown in the right image.

This is the adaptive algorithm HTTPS encryption: browsers that only support the RSA algorithm use the RSA algorithm to implement HTTPS encryption, national cryptography browsers that support the SM2 algorithm use the SM2 algorithm to implement HTTPS encryption, Google browsers that support the X25519MLKEM768 algorithm use the X25519MLKEM768 algorithm to implement post-quantum cryptography HTTPS encryption, while the Zero Trust Browser that supports the SM2MLKEM768 algorithm uses the SM2MLKEM768 algorithm to implement both commercial cryptography and post-quantum cryptography HTTPS encryption, meeting the needs of users for both commercial cryptography compliance and post-quantum cryptography migration.
4
Obtaining the IANA Number is the Foundation for Implementing Algorithm Adaptation
The design of the TLS 1.3 standard is the most typical and best adherence to the “cryptographic agility” principle. IANA only needs to add a protocol number for TLS support groups, and everyone can develop the corresponding protocol support system based on this number’s RFC draft. This mechanism can quickly realize the timely application of advanced algorithms while achieving maximum compatibility through algorithm adaptation.
China’s commercial cryptography transformation is very important, and this is indisputable. However, with the rapid development of quantum computers, data encrypted with traditional cryptographic algorithms is facing the security threat of “collecting first and decrypting later.” Therefore, the cybersecurity and cryptography industries in China must keep pace with the times and quickly implement hybrid algorithm HTTPS encryption of commercial cryptography algorithms and post-quantum cryptography algorithms, while meeting the needs of key users for commercial cryptography transformation and post-quantum cryptography migration. The assignment of protocol number 4590 for SM2MLKEM768 by IANA provides the possibility to accelerate the implementation of this urgently needed dual transformation application, which is undoubtedly a significant event worthy of praise in the industry. It enhances quantum security based on commercial cryptography compliance and should be the first choice algorithm for China’s current HTTPS encryption commercial cryptography transformation and post-quantum cryptography migration.
The acquisition of protocol number 4590 for SM2MLKEM768 means that this algorithm has become one of the four selectable post-quantum cryptography hybrid algorithms globally, serving as the “official ID” and “pass” for this algorithm to enter the international application stage. It also provides a clear technical direction for domestic cybersecurity vendors, cloud service providers, equipment manufacturers, and cryptography vendors. Chinese enterprises can confidently invest resources to integrate and support this algorithm in their products, thereby promoting the prosperity of the entire domestic cryptography industry and solidifying the foundation of internet security in China.

Interpreting SM2MLKEM768 = 4590
The Zero Trust Browser prioritizes the use of PQC algorithms to implement HTTPS encryption
The Zero Trust Browser makes post-quantum cryptography visible
Winning the future starts with browser support for post-quantum cryptography
Post-quantum cryptography migration is more urgent than commercial cryptography transformation
New ideas for cryptography transformation – the principle of cryptographic agility