PQCrypto Usage & Deployment
Updated: October 4, 2023
Here's a list of software that incorporate PQCrypto (post-quantum cryptography), that is, cryptography resistant to attack from quantum computers.
Note on QKD: Quantum Key Distribution, an unrelated technology, is probably snake oil. It will not be discussed here.
- PQCRYPTO Project
- Post-quantum cryptography on Wikipedia
- PQCHacks: A gentle introduction to post-quantum cryptography
- Initial recommendations of long-term secure post-quantum systems
- OpenBSD — used in OpenSSH, OpenIKED, and CVS over SSH
- Any OS that includes OpenSSH 8.5 or newer
libpqcrypto is a new cryptographic software library produced by the PQCRYPTO project, that includes software for 77 cryptographic systems (50 signature systems and 27 encryption systems) from 19 of the 22 PQCRYPTO submissions.
Symmetric / secret-key cryptographyThe following ciphers are recommended for long term security against quantum cryptanalysis:
- AES-256 (Vincent Rijmen, Joan Daemen)
- Salsa20 with 256-bit keys (Daniel J. Bernstein)
- ChaCha20 with 256-bit keys (Daniel J. Bernstein)
Major software with pqcrypto support
Where to start with pqcrypto, using software you already have and use?
- OpenSSH 8.4 and older and older TinySSH support a pqcrypto key exchange method. You will need to explicitly enable
it in the OpenSSH sshd.conf and OpenSSH client ssh.conf. Set:
- OpenSSH 8.5 and newer, recent TinySSH: You'll need to explicitly set in the server OpenSSH sshd.conf and client ssh.conf:
- WireGuard: it's not true pqcrypto, but you can include a PSK to be mixed in with the x25519 key agreement. To do this on Unix, create a PSK with the command wg genpsk and then add that to your config using the variable PreSharedKey. So the config line would be like PreSharedKey = abcxyz where abcxyz is your actual PSK.
- WireGuard: alternatively to PSKs, you can use Rosenpass to establish post-quantum secure keys for WireGuard tunnels.
- OpenIKED: enable pq key exchange with ikesa group sntrup761x25519.
- age: use the age-plugin-sntrup761x25519 plugin for rage (the rust implementation of age). sntrup761x25519 is used in OpenSSH as the default key exchange method.
Public-key cryptography: McBits
- McBits — fast constant-time code-based cryptography (Daniel J. Bernstein, Tung Chou, Peter Schwabe)
- McBits — The first version for the "new" McBits software
- mcbitsarm — MCBits on STM32f407
Note: SPHINCS+ is one of the NIST Post-Quantum Cryptography Selected Digital Signature Algorithms of 2022 along with CRYSTALS-DILITHIUM and FALCON.
- SPHINCS+ is a refinement of SPHINCS, incorporating "multiple improvements, specifically aimed at reducing signature size."
- pyspx — Python bindings for SPHINCS+
- List of software known to the SPHINCS+ team
Note that SPHINCS-256 has been superseded by SPHINCS+.
- SPHINCS — a high-security post-quantum stateless hash-based signature scheme (Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Peter Schwabe, and Zooko Wilcox-O'Hearn)
- sphincs256 — practical stateless hash-based signature scheme (Yawning Angel)
- sphincs — Erlang NIF for SPHINCS-256: practical stateless hash-based signatures (Alexander Færøy)
- cr3 — simple pipe using crazy/crappy crypto for encryption and signing (Stefan Marsiske)
- SPHINCS-256-py — A Python implementation of the SPHINCS scheme (Joost Rijneveld)
- SPHINCS-golang — SPHINCS: practical stateless hash-based signatures
- supersphincs — SPHINCS and RSASSA-PKCS1-v1_5 paired together as a single signing scheme (Cyph)
- sphincs_sha256 — Implementation of the SPHINCS digital signature scheme using SHA256 (Stefan Kölbl)
- pitchforkedsphincs — armedsphincs ported to pitchfork (pitchfork)
- SPHINCS-arduinodue — Implementation of the stateless hash-based signature scheme SPHINCS-256 on an Arduino Due board (Aymeric Genet)
- Haraka — a secure and efficient short-input hash function (includes a SPHINCS implementation instantiated with Haraka)
- codecrypt — Post-quantum cryptography tool (Mirek Kratochvil)
- SPHINCS-SHAKE256 — Modified version of SPHINCS-256, using SHAKE256 as the underlying hash function rather than ChaCha/BLAKE
- sphincs — Optimized implementations for cryptographic hash functions for the use in hash-based signature schemes (Stefan Kölbl)
- SUPERCOP — a cryptographic benchmarking suite
Post-quantum crypto library for the ARM Cortex-M4
The pqm4 library, benchmarking and testing framework started as a result of the PQCRYPTO project funded by the European Commission in the H2020 program. It currently contains implementations of 8 post-quantum key-encapsulation mechanisms and 3 post-quantum signature schemes targeting the ARM Cortex-M4 family of microcontrollers.
Post-quantum crypto implementations for the FPGAs
The pqhw implementations are a result of the PQCRYPTO project funded by the European Commission in the H2020 program. Note that these are research oriented implementations and not ready for productive use. It is published under the license contained in the license.rtf file and allows evaluation by academics but no commercial use.
The following have not been recommended by the PQCRYPTO Project, but are worthy of further study and experimentation.
- QcBits — a fully constant-time implementation of a QC-MDPC-code-based encryption scheme (Tung Chou)
- The current code for implementations "ref" and "clmul"
- CIRCL — Cloudflare Interoperable Reusable Cryptographic Library
See also this Wikipedia article for further reading.
- 2006-05-23/26: PQCrypto 2006 (Leuven, Belgium)
- 2008-10-17/19: PQCrypto 2008 (Cincinatti, OH, USA)
- 2010-05-25/28: PQCrypto 2010 (Darmstadt, Germany)
- 2011-11-29/12-02: PQCrypto 2011 (Taipei, Taiwan)
- 2013-06-04/07: PQCrypto 2013 (Limoges, France)
- 2013-06-16: McBits is introduced
- 2014-10-01: SPHINCS is introduced
- 2014-10-01/03: PQCrypto 2014 (Waterloo, Ontario, Canada)
- 2015-04-08: draft-irtf-cfrg-xmss-hash-based-signatures-00
- 2015-11-05: "Newhope" Ring-LWE-based key exchange first introduced
- 2016-02-24/26: PQCrypto 2016 (Fukuoka, Japan)
- 2016-05-06: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
- 2016-05-18: BoringSSL gets concatenated X25519 + Newhope (post-quantum) key agreement
- 2016-06-28: Mini PQC Workshop (Utrecht, Netherlands)
- 2016-07-07: Google publishes "Experimenting with Post-Quantum Cryptography"
- 2016-08-10: Winner of the 2016 Internet Defense Prize: Post-quantum Key Exchange — A New Hope
- 2016-10-26: Botan 1.11.33 adds Newhope support
- 2016-11-28: Adam Langley (Google) publishes the results of their CECPQ1 experiment
- 2016-12-17: NewHope-Simple is introduced
- 2016-12-20: NIST requests nominations for pqcrypto algorithms
- 2017-06-19/23: Summer School on Post-Quantum Cryptography 2017 (Utrecht, Netherlands)
- 2017-06-26/28: PQCrypto 2017 (Utrecht, Netherlands)
- 2018-03-14: libpqcrypto is announced
- 2018-04-09/11: PQCrypto 2018 (Fort Lauderdale, FL, USA)
- 2018-12-12: Adam Langley (Google) announces CECPQ2
- 2018-12-28: The year in post-quantum crypto
- 2019-01-01: tinyssh-20190101 introduces email@example.com
- 2019-01-18: Cloudflare announces experimental support for two post-quantum key agreement algorithms
- 2019-01-30: NIST PQC Standardization Process: Announcement of 2nd Round Candidates
- 2019-04-02: OpenSSH 7.7 adds experimental support for PQC XMSS keys (Extended Hash-Based Signatures), not compiled in by default
- 2019-04-18: OpenSSH 8.0 adopts firstname.lastname@example.org (not enabled by default)
- 2019-05-08/10: PQCrypto 2019 (Chongqing, China)
- 2019-06-20: Cloudflare introduces CIRCL
- 2019-10-30: Cloudflare announces results of its post-quantum experiment with Google
- 2020-09-21/23: PQCrypto 2020 (Paris, France)
- 2020-12-29: OpenSSH replaces email@example.com with firstname.lastname@example.org (not enabled by default)
- 2021-02-01: wolfSSL: Post Quantum Algorithms in SSH
- 2021-03-03: OpenSSH 8.5 supports email@example.com (disabled by default)
- 2021-03-19: TinySSH 20210319 supports firstname.lastname@example.org
- 2021-05-28: OpenBSD IKED gets sntrup761x25519 key exchange
- 2021-07-20/22: PQCrypto 2021 (Daejeon, South Korea)
- 2021-09-01: wolfSSL and libOQS Integration
- 2021-11-03: OpenIKED 7.0 supports Streamlined NTRU Prime (coupled with X25519) as sntrup761x25519
- 2022-02-10: OpenSSH 8.9 will enable the email@example.com KEM
- 2022-02-23: OpenSSH 8.9 is released, including firstname.lastname@example.org enabled by default
- 2022-04-08: OpenSSH 9.0 is released, elevating email@example.com to the default key exchange
- 2022-07-05: NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
- 2022-07-30: An efficient key recovery attack on SIDH
- 2022-08-04: Cloudflare experiments with x25519-kyber for TLS
- 2022-08-05: DJB: Announcing my second lawsuit against the U.S. government
- 2022-09-28/30: PQCrypto 2022 (online)
- 2023-10-03: The inability to count correctly: Debunking NIST's calculation of the Kyber-512 security level
Post-quantum crypto support coming soon!
- With PQCrypto-VPN, Microsoft is experimenting with pqcrypto
- Noise Protocol is discussing its future PQ position, and considering NewHope
- Zcash is discussing its future PQ position
- Post-quantum KEMs in Age
- Peergos will switch to pqcrypto "as soon as a clear candidate arrives."
- liboqs — C library for quantum-safe cryptographic algorithms
- Who else?!
"Powered by Post-Quantum Crypto"