PQCrypto Usage & Deployment

Updated: April 8, 2022

Here's a list of software that incorporate PQCrypto (post-quantum cryptography), that is, cryptography resistant to attack from quantum computers.

Note on QKD: Quantum Key Distribution, an unrelated technology, is probably snake oil. It will not be discussed here.

Background information

• PQCRYPTO Project
• pqcrypto.org
• Post-quantum cryptography on Wikipedia
• PQCHacks: A gentle introduction to post-quantum cryptography
• Initial recommendations of long-term secure post-quantum systems

libpqcrypto

libpqcrypto is a new cryptographic software library produced by the PQCRYPTO project, that includes software for 77 cryptographic systems (50 signature systems and 27 encryption systems) from 19 of the 22 PQCRYPTO submissions.

• libpqcrypto

Symmetric / secret-key cryptography

Grover's algorithm will reduce symmetric cipher security by a square root. So against a quantum computer running Grover's algorithm, AES-256 will provide a comfortable security level of 2^128. However, AES-128 will only provide a security level of 2^64, rendering it broken. (Keep in mind that attackers are storing ciphertext now for later analysis.) The following ciphers are recommended for long term security against quantum cryptanalysis:

• AES-256 (Vincent Rijmen, Joan Daemen)
• Salsa20 with 256-bit keys (Daniel J. Bernstein)

Public-key cryptography: McBits

• McBits — fast constant-time code-based cryptography (Daniel J. Bernstein, Tung Chou, Peter Schwabe)
• McBits — The first version for the "new" McBits software
• mcbitsarm — MCBits on STM32f407

Signatures: SPHINCS+

Note: SPHINCS+ has made it to round 2 of the NIST PQC Standardization Process.

• SPHINCS+ is a refinement of SPHINCS, incorporating "multiple improvements, specifically aimed at reducing signature size."
• pyspx — Python bindings for SPHINCS+

Signatures: SPHINCS-256

• SPHINCS — a high-security post-quantum stateless hash-based signature scheme (Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Peter Schwabe, and Zooko Wilcox-O'Hearn)
• sphincs256 — practical stateless hash-based signature scheme (Yawning Angel)
• sphincs — Erlang NIF for SPHINCS-256: practical stateless hash-based signatures (Alexander Færøy)
• cr3 — simple pipe using crazy/crappy crypto for encryption and signing (Stefan Marsiske)
• SPHINCS-256-py — A Python implementation of the SPHINCS scheme (Joost Rijneveld)
• sphincs.js — JavaScript wrapper for an asm.js build of SPHINCS (Cyph)
• SPHINCS-golang — SPHINCS: practical stateless hash-based signatures
• supersphincs — SPHINCS and RSASSA-PKCS1-v1_5 paired together as a single signing scheme (Cyph)
• sphincs_sha256 — Implementation of the SPHINCS digital signature scheme using SHA256 (Stefan Kölbl)
• pitchforkedsphincs — armedsphincs ported to pitchfork (pitchfork)
• SPHINCS-arduinodue — Implementation of the stateless hash-based signature scheme SPHINCS-256 on an Arduino Due board (Aymeric Genet)
• Haraka — a secure and efficient short-input hash function (includes a SPHINCS implementation instantiated with Haraka)
• codecrypt — Post-quantum cryptography tool (Mirek Kratochvil)
• SPHINCS-SHAKE256 — Modified version of SPHINCS-256, using SHAKE256 as the underlying hash function rather than ChaCha/BLAKE
• sphincs — Optimized implementations for cryptographic hash functions for the use in hash-based signature schemes (Stefan Kölbl)
• SUPERCOP — a cryptographic benchmarking suite

Major software with pqcrypto support

Where to start with pqcrypto, using software you already have and use?

• OpenSSH 8.4 and older and older TinySSH support a pqcrypto key exchange method. You will need to explicitly enable it in the OpenSSH sshd.conf and OpenSSH client ssh.conf. Set:
  KexAlgorithms sntrup4591761x25519-sha512@tinyssh.org
• OpenSSH 8.5 and newer, recent TinySSH: You'll need to explicitly set in the server OpenSSH sshd.conf and client ssh.conf:
  KexAlgorithms sntrup761x25519-sha512@openssh.com
• WireGuard: it's not true pqcrypto, but you can include a PSK to be mixed in with the x25519 key agreement. To do this on Unix, create a PSK with the command wg genpsk and then add that to your config using the variable PreSharedKey. So the config line would be like PreSharedKey = abcxyz where abcxyz is your actual PSK.
• OpenIKED: enable pq key exchange with ikesa group sntrup761x25519.

pqm4

Post-quantum crypto library for the ARM Cortex-M4

The pqm4 library, benchmarking and testing framework started as a result of the PQCRYPTO project funded by the European Commission in the H2020 program. It currently contains implementations of 8 post-quantum key-encapsulation mechanisms and 3 post-quantum signature schemes targeting the ARM Cortex-M4 family of microcontrollers.

pqhw

Post-quantum crypto implementations for the FPGAs

The pqhw implementations are a result of the PQCRYPTO project funded by the European Commission in the H2020 program. Note that these are research oriented implementations and not ready for productive use. It is published under the license contained in the license.rtf file and allows evaluation by academics but no commercial use.

Help wanted!

• hs-nacl wants McBits support, and would probably like pull requests

---

See also

The following have not been recommended by the PQCRYPTO Project, but are worthy of further study and experimentation.

Note: Newhope has made it to round 2 of the NIST PQC Standardization Process.

Key Exchange: Newhope

• Newhope — Ring-LWE-based key exchange (Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe)
• newhope — Golang "Post-quantum key exchange - a new hope" (Yawning Angel)
• luke — Erlang NIF for the post-quantum key exchange named A New Hope (Alexander Færøy)
• BoringSSL — Google's TLS library used by Chrome and Google sites
• Botan — Crypto and TLS for C++11
• newhope — Post-quantum key exchange - a new hope - in Rust (quininer kel)
• newhope — a fork of Newhope with some optimizations to the coefficient-sampling method (Shay Gueron and Fabian Schlieker)
• Noise-C — a plain C implementation of the Noise protocol (includes NewHope)
• arduinolibs — Arduino libraries and examples
• NewHope-Key-Exchange — The NewHope Key Exchange implementation in Python (Anup)
• NewHope-Golang — NewHope Post-quantum key exchange (Anup)
• liboqs — C library for quantum-resistant cryptographic algorithms
• newhope-tor-testvectors — Code for generating the NewHope handshake test vectors included in Tor proposal #XXX (Isis Agora Lovecruft)
• Sarkara — A Post-Quantum cryptography library (quininer kel)
• newhope-cm3 — newhope key-exchange optimized for cortex m3
• PyNewHope — A Python implementation of the NewHope post-quantum cryptographic scheme
• NewHope_X25519_XSalsa20_Poly1305 — Post Quantum Cryptography with NewHope and NaCl

QcBits

• QcBits — a fully constant-time implementation of a QC-MDPC-code-based encryption scheme (Tung Chou)
• The current code for implementations "ref" and "clmul"

CIRCL

• CIRCL — Cloudflare Interoperable Reusable Cryptographic Library

Timeline notes

See also this Wikipedia article for further reading.

• 2006-05-23/26: PQCrypto 2006 (Leuven, Belgium)
• 2008-10-17/19: PQCrypto 2008 (Cincinatti, OH, USA)
• 2010-05-25/28: PQCrypto 2010 (Darmstadt, Germany)
• 2011-11-29/12-02: PQCrypto 2011 (Taipei, Taiwan)
• 2013-06-04/07: PQCrypto 2013 (Limoges, France)
• 2013-06-16: McBits is introduced
• 2014-10-01: SPHINCS is introduced
• 2014-10-01/03: PQCrypto 2014 (Waterloo, Ontario, Canada)
• 2015-04-08: draft-irtf-cfrg-xmss-hash-based-signatures-00
• 2015-11-05: "Newhope" Ring-LWE-based key exchange first introduced
• 2016-02-24/26: PQCrypto 2016 (Fukuoka, Japan)
• 2016-05-06: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
• 2016-05-18: BoringSSL gets concatenated X25519 + Newhope (post-quantum) key agreement
• 2016-06-28: Mini PQC Workshop (Utrecht, Netherlands)
• 2016-07-07: Google publishes "Experimenting with Post-Quantum Cryptography"
• 2016-08-10: Winner of the 2016 Internet Defense Prize: Post-quantum Key Exchange — A New Hope
• 2016-10-26: Botan 1.11.33 adds Newhope support
• 2016-11-28: Adam Langley (Google) publishes the results of their CECPQ1 experiment
• 2016-12-17: NewHope-Simple is introduced
• 2016-12-20: NIST requests nominations for pqcrypto algorithms
• 2017-06-19/23: Summer School on Post-Quantum Cryptography 2017 (Utrecht, Netherlands)
• 2017-06-26/28: PQCrypto 2017 (Utrecht, Netherlands)
• 2018-03-14: libpqcrypto is announced
• 2018-04-09/11: PQCrypto 2018 (Fort Lauderdale, FL, USA)
• 2018-12-12: Adam Langley (Google) announces CECPQ2
• 2018-12-28: The year in post-quantum crypto
• 2019-01-01: tinyssh-20190101 introduces sntrup4591761x25519-sha512@tinyssh.org
• 2019-01-18: Cloudflare announces experimental support for two post-quantum key agreement algorithms
• 2019-01-30: NIST PQC Standardization Process: Announcement of 2nd Round Candidates
• 2019-04-02: OpenSSH 7.7 adds experimental support for PQC XMSS keys (Extended Hash-Based Signatures), not compiled in by default
• 2019-04-18: OpenSSH 8.0 adopts sntrup4591761x25519-sha512@tinyssh.org (not enabled by default)
• 2019-05-08/10: PQCrypto 2019 (Chongqing, China)
• 2019-06-20: Cloudflare introduces CIRCL
• 2019-10-30: Cloudflare announces results of its post-quantum experiment with Google
• 2020-09-21/23: PQCrypto 2020 (Paris, France)
• 2020-12-29: OpenSSH replaces sntrup4591761x25519-sha512@tinyssh.org with sntrup761x25519-sha512@openssh.com (not enabled by default)
• 2021-02-01: wolfSSL: Post Quantum Algorithms in SSH
• 2021-03-03: OpenSSH 8.5 supports sntrup761x25519-sha512@openssh.com (disabled by default)
• 2021-05-28: OpenBSD IKED gets sntrup761x25519 key exchange
• 2021-07-20/22: PQCrypto 2021 (Daejeon, South Korea)
• 2021-09-01: wolfSSL and libOQS Integration
• 2021-11-03: OpenIKED 7.0 supports Streamlined NTRU Prime (coupled with X25519) as sntrup761x25519
• 2022-02-10: OpenSSH 8.9 will enable the sntrup761x25519-sha512@openssh.com KEM
• 2022-02-23: OpenSSH 8.9 is released, including sntrup761x25519-sha512@openssh.com enabled by default
• 2022-04-08: OpenSSH 9.0 is released, elevating sntrup761x25519-sha 512@openssh.com to the default key exchange

Post-quantum crypto support coming soon!

• With PQCrypto-VPN, Microsoft is experimenting with pqcrypto
• Noise Protocol is discussing its future PQ position, and considering NewHope
• curl
• Zcash is discussing its future PQ position
• Peergos will switch to pqcrypto "as soon as a clear candidate arrives."
• liboqs — C library for quantum-safe cryptographic algorithms (plans to support Newhope)
• Who else?!

"Powered by Post-Quantum Crypto"