PQCrypto Usage & Deployment

Updated: November 24, 2025

Here's a list of software that incorporate PQCrypto (post-quantum cryptography), that is, cryptography resistant to attack from quantum computers.

Note on QKD: Quantum Key Distribution, an unrelated technology, is probably snake oil. It will not be discussed here.

Additionally, IANIX strongly urges the use of hybrid pqcrypto such as X25519 combined with a post-quantum algorithm like NTRU Prime using e.g. libntruprime, or X25519 combined with ML-KEM. It is too early to safely rely on non-hybrid options. Fortunately, the pqcrypto ecosystem is deploying hybrid.

Background information

• PQCRYPTO Project
• pqcrypto.org
• Post-quantum cryptography on Wikipedia
• PQCHacks: A gentle introduction to post-quantum cryptography
• Initial recommendations of long-term secure post-quantum systems

Operating Systems

• OpenBSD — used in OpenSSH, OpenIKED, and CVS over SSH
• ChromeOS — extensively depends on the Chrome web browser and Google services, both of which use pqcrypto
• Any OS that includes OpenSSH 8.5 or newer

libpqcrypto

libpqcrypto is a new cryptographic software library produced by the PQCRYPTO project, that includes software for 77 cryptographic systems (50 signature systems and 27 encryption systems) from 19 of the 22 PQCRYPTO submissions.

• libpqcrypto

PQConnect

PQConnect "automatically applies post-quantum cryptography from end to end between computers running PQConnect" and "once you have installed PQConnect on your computer, PQConnect automatically detects servers that support PQConnect, and transparently encrypts traffic to those servers."

Symmetric / secret-key cryptography

The following ciphers are recommended for long term security against quantum cryptanalysis:

• AES-256 (Vincent Rijmen, Joan Daemen)
• Salsa20 with 256-bit keys (Daniel J. Bernstein)
• ChaCha20 with 256-bit keys (Daniel J. Bernstein)

Major software with pqcrypto support

Where to start with pqcrypto, using software you already have and use?

• In OpenSSH 9.0 and newer, and TinySSH, the post-quantum sntrup761x25519-sha512@openssh.com is the default key exchange. From OpenSSH 8.5 to 8.9, this kex must be explicitly enabled in the OpenSSH server sshd.conf and client ssh.conf:
  KexAlgorithms sntrup761x25519-sha512@openssh.com
• WireGuard: it's not true pqcrypto, but you can include a PSK (pre-shared key) to be mixed in with the x25519 key agreement. To do this on Unix, create a PSK with the command `wg genpsk` or `openssl rand -base64 32` and then add that to your config under the [Peer] section using the variable PreSharedKey. So the config line would be like PreSharedKey = abcxyz where abcxyz is your actual PSK. As described above, you can use OpenSSH or TinySSH to safely transmit these keys to the other end of your tunnel, adding the same PreSharedKey = abcxyz to the other config there.
• WireGuard: alternatively to PSKs, you can use Rosenpass to establish post-quantum secure keys for WireGuard tunnels.
• OpenIKED: enable pq key exchange with ikesa group sntrup761x25519.
• MagiskSSH is OpenSSH built for Android.
• age: use the age-plugin-sntrup761x25519 plugin for rage (the rust implementation of age). sntrup761x25519 is used in OpenSSH as the default key exchange method.
• iMessage: iMessage in iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4 supports PQ3, Apple's post-quantum messaging protocol.
• Signal: Signal Messenger uses the post-quantum PQXDH key agreement protocol by default to secure communications.

Public-key cryptography: McBits

• McBits — fast constant-time code-based cryptography (Daniel J. Bernstein, Tung Chou, Peter Schwabe)
• McBits — The first version for the "new" McBits software
• mcbitsarm — MCBits on STM32f407

Signatures: SPHINCS+

Note: SPHINCS+ is one of the NIST Post-Quantum Cryptography Selected Digital Signature Algorithms of 2022 along with CRYSTALS-DILITHIUM and FALCON.

• SPHINCS+ is a refinement of SPHINCS, incorporating "multiple improvements, specifically aimed at reducing signature size."
• pyspx — Python bindings for SPHINCS+
• List of software known to the SPHINCS+ team

Signatures: SPHINCS-256

Note that SPHINCS-256 has been superseded by SPHINCS+.

• SPHINCS — a high-security post-quantum stateless hash-based signature scheme (Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Peter Schwabe, and Zooko Wilcox-O'Hearn)
• sphincs256 — practical stateless hash-based signature scheme (Yawning Angel)
• sphincs — Erlang NIF for SPHINCS-256: practical stateless hash-based signatures (Alexander Færøy)
• cr3 — simple pipe using crazy/crappy crypto for encryption and signing (Stefan Marsiske)
• SPHINCS-256-py — A Python implementation of the SPHINCS scheme (Joost Rijneveld)
• sphincs.js — JavaScript wrapper for an asm.js build of SPHINCS (Cyph)
• SPHINCS-golang — SPHINCS: practical stateless hash-based signatures
• supersphincs — SPHINCS and RSASSA-PKCS1-v1_5 paired together as a single signing scheme (Cyph)
• sphincs_sha256 — Implementation of the SPHINCS digital signature scheme using SHA256 (Stefan Kölbl)
• pitchforkedsphincs — armedsphincs ported to pitchfork (pitchfork)
• SPHINCS-arduinodue — Implementation of the stateless hash-based signature scheme SPHINCS-256 on an Arduino Due board (Aymeric Genet)
• Haraka — a secure and efficient short-input hash function (includes a SPHINCS implementation instantiated with Haraka)
• codecrypt — Post-quantum cryptography tool (Mirek Kratochvil)
• SPHINCS-SHAKE256 — Modified version of SPHINCS-256, using SHAKE256 as the underlying hash function rather than ChaCha/BLAKE
• sphincs — Optimized implementations for cryptographic hash functions for the use in hash-based signature schemes (Stefan Kölbl)
• SUPERCOP — a cryptographic benchmarking suite

pqm4

Post-quantum crypto library for the ARM Cortex-M4

The pqm4 library, benchmarking and testing framework started as a result of the PQCRYPTO project funded by the European Commission in the H2020 program. It currently contains implementations of 8 post-quantum key-encapsulation mechanisms and 3 post-quantum signature schemes targeting the ARM Cortex-M4 family of microcontrollers.

pqhw

Post-quantum crypto implementations for the FPGAs

The pqhw implementations are a result of the PQCRYPTO project funded by the European Commission in the H2020 program. Note that these are research oriented implementations and not ready for productive use. It is published under the license contained in the license.rtf file and allows evaluation by academics but no commercial use.

Help wanted!

• hs-nacl wants McBits support, and would probably like pull requests

---

See also

The following have not been recommended by the PQCRYPTO Project, but are worthy of further study and experimentation.

QcBits

• QcBits — a fully constant-time implementation of a QC-MDPC-code-based encryption scheme (Tung Chou)
• The current code for implementations "ref" and "clmul"

CIRCL

• CIRCL — Cloudflare Interoperable Reusable Cryptographic Library

Timeline notes

See also this Wikipedia article for further reading.

• 2006-05-23/26: PQCrypto 2006 (Leuven, Belgium)
• 2008-10-17/19: PQCrypto 2008 (Cincinatti, OH, USA)
• 2010-05-25/28: PQCrypto 2010 (Darmstadt, Germany)
• 2011-11-29/12-02: PQCrypto 2011 (Taipei, Taiwan)
• 2013-06-04/07: PQCrypto 2013 (Limoges, France)
• 2013-06-16: McBits is introduced
• 2014-10-01: SPHINCS is introduced
• 2014-10-01/03: PQCrypto 2014 (Waterloo, Ontario, Canada)
• 2015-04-08: draft-irtf-cfrg-xmss-hash-based-signatures-00
• 2015-11-05: "Newhope" Ring-LWE-based key exchange first introduced
• 2016-02-24/26: PQCrypto 2016 (Fukuoka, Japan)
• 2016-05-06: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
• 2016-05-18: BoringSSL gets concatenated X25519 + Newhope (post-quantum) key agreement
• 2016-06-28: Mini PQC Workshop (Utrecht, Netherlands)
• 2016-07-07: Google publishes "Experimenting with Post-Quantum Cryptography"
• 2016-08-10: Winner of the 2016 Internet Defense Prize: Post-quantum Key Exchange — A New Hope
• 2016-10-26: Botan 1.11.33 adds Newhope support
• 2016-11-28: Adam Langley (Google) publishes the results of their CECPQ1 experiment
• 2016-12-17: NewHope-Simple is introduced
• 2016-12-20: NIST requests nominations for pqcrypto algorithms
• 2017-06-19/23: Summer School on Post-Quantum Cryptography 2017 (Utrecht, Netherlands)
• 2017-06-26/28: PQCrypto 2017 (Utrecht, Netherlands)
• 2018-03-14: libpqcrypto is announced
• 2018-04-09/11: PQCrypto 2018 (Fort Lauderdale, FL, USA)
• 2018-12-12: Adam Langley (Google) announces CECPQ2
• 2018-12-28: The year in post-quantum crypto
• 2019-01-01: tinyssh-20190101 introduces sntrup4591761x25519-sha512@tinyssh.org
• 2019-01-18: Cloudflare announces experimental support for two post-quantum key agreement algorithms
• 2019-01-30: NIST PQC Standardization Process: Announcement of 2nd Round Candidates
• 2019-04-02: OpenSSH 7.7 adds experimental support for PQC XMSS keys (Extended Hash-Based Signatures), not compiled in by default
• 2019-04-18: OpenSSH 8.0 adopts sntrup4591761x25519-sha512@tinyssh.org (not enabled by default)
• 2019-05-08/10: PQCrypto 2019 (Chongqing, China)
• 2019-06-20: Cloudflare introduces CIRCL
• 2019-10-30: Cloudflare announces results of its post-quantum experiment with Google
• 2020-04-03: Post-quantum WireGuard is published by Andreas Hülsing, Kai-Chun Ning, Peter Schwabe, Fiona Johanna Weber, and Philip R. Zimmermann
• 2020-09-21/23: PQCrypto 2020 (Paris, France)
• 2020-12-29: OpenSSH replaces sntrup4591761x25519-sha512@tinyssh.org with sntrup761x25519-sha512@openssh.com (not enabled by default)
• 2021-02-01: wolfSSL: Post Quantum Algorithms in SSH
• 2021-03-03: OpenSSH 8.5 supports sntrup761x25519-sha512@openssh.com (disabled by default)
• 2021-03-19: TinySSH 20210319 supports sntrup761x25519-sha512@openssh.com
• 2021-05-28: OpenBSD IKED gets sntrup761x25519 key exchange
• 2021-07-20/22: PQCrypto 2021 (Daejeon, South Korea)
• 2021-09-01: wolfSSL and libOQS Integration
• 2021-11-03: OpenIKED 7.0 supports Streamlined NTRU Prime (coupled with X25519) as sntrup761x25519
• 2022-02-10: OpenSSH 8.9 will enable the sntrup761x25519-sha512@openssh.com KEM
• 2022-02-23: OpenSSH 8.9 is released, including sntrup761x25519-sha512@openssh.com enabled by default
• 2022-04-08: OpenSSH 9.0 is released, elevating sntrup761x25519-sha512@openssh.com to the default key exchange
• 2022-07-05: NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
• 2022-07-30: An efficient key recovery attack on SIDH
• 2022-08-04: Cloudflare experiments with x25519-kyber for TLS
• 2022-08-05: DJB: Announcing my second lawsuit against the U.S. government
• 2023-09-19: Signal announces PQXDH
• 2022-09-28/30: PQCrypto 2022 (online)
• 2023-04-06: Mullvad now supports quantum-resistant WireGuard tunnels
• 2023-10-03: The inability to count correctly: Debunking NIST's calculation of the Kyber-512 security level
• 2024-02-21: iMessage with PQ3: The new state of the art in quantum-secure messaging at scale
• 2024-09-19: OpenSSH 9.9 adds support for mlkem768x25519-sha256
• 2025-02-11: Go 1.24 supports X25519MLKEM768, enabled by default when Config.CurvePreferences is nil
• 2025-02-19: Post-Quantum Cryptography in February 2025
• 2025-04-30: LibreSSL 4.1.0 imports "ML-KEM 768 and 1024 from BoringSSL (not yet public API)"
• 2025-10-02: Signal introduces SPQR, extending its post-quantum security
• 2025-10-14: LibreSSL 4.2.0 adds a public API for ML-KEM to be used to support X25519MLKEM768 in libssl

Post-quantum crypto support coming soon!

• Post-quantum KEMs in Age
• curl
• With PQCrypto-VPN, Microsoft is experimenting with pqcrypto
• Noise Protocol is discussing its future PQ position, and considering NewHope
• Zcash is discussing its future PQ position
• Peergos will switch to pqcrypto "as soon as a clear candidate arrives."
• liboqs — C library for quantum-safe cryptographic algorithms
• Who else?!

"Powered by Post-Quantum Crypto"