PQCrypto Usage & Deployment

Updated: April 6, 2024

Here's a list of software that incorporate PQCrypto (post-quantum cryptography), that is, cryptography resistant to attack from quantum computers.

Note on QKD: Quantum Key Distribution, an unrelated technology, is probably snake oil. It will not be discussed here.

Background information

Operating Systems

OpenBSD — used in OpenSSH, OpenIKED, and CVS over SSH
Any OS that includes OpenSSH 8.5 or newer

libpqcrypto

libpqcrypto is a new cryptographic software library produced by the PQCRYPTO project, that includes software for 77 cryptographic systems (50 signature systems and 27 encryption systems) from 19 of the 22 PQCRYPTO submissions.

libpqcrypto

Symmetric / secret-key cryptography

The following ciphers are recommended for long term security against quantum cryptanalysis:

AES-256 (Vincent Rijmen, Joan Daemen)
Salsa20 with 256-bit keys (Daniel J. Bernstein)
ChaCha20 with 256-bit keys (Daniel J. Bernstein)

Major software with pqcrypto support

Where to start with pqcrypto, using software you already have and use?

OpenSSH 8.4 and older and older TinySSH each support a pqcrypto key exchange method. You will need to explicitly enable it in the OpenSSH sshd.conf and OpenSSH client ssh.conf. Set:
KexAlgorithms sntrup4591761x25519-sha512@tinyssh.org
In OpenSSH 9.0 and newer, and TinySSH, the post-quantum sntrup761x25519-sha512@openssh.com is the default key exchange. From OpenSSH 8.5 to 8.9, this kex must be explicitly enabled in the OpenSSH server sshd.conf and client ssh.conf:
KexAlgorithms sntrup761x25519-sha512@openssh.com
WireGuard: it's not true pqcrypto, but you can include a PSK to be mixed in with the x25519 key agreement. To do this on Unix, create a PSK with the command wg genpsk and then add that to your config using the variable PreSharedKey. So the config line would be like PreSharedKey = abcxyz where abcxyz is your actual PSK.
WireGuard: alternatively to PSKs, you can use Rosenpass to establish post-quantum secure keys for WireGuard tunnels.
OpenIKED: enable pq key exchange with ikesa group sntrup761x25519.
age: use the age-plugin-sntrup761x25519 plugin for rage (the rust implementation of age). sntrup761x25519 is used in OpenSSH as the default key exchange method.
iMessage: iMessage in iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4 supports PQ3, Apple's post-quantum messaging protocol.
Signal: Signal Messenger uses the post-quantum PQXDH key agreement protocol by default to secure communications.

Public-key cryptography: McBits

McBits — fast constant-time code-based cryptography (Daniel J. Bernstein, Tung Chou, Peter Schwabe)
McBits — The first version for the "new" McBits software
mcbitsarm — MCBits on STM32f407

Signatures: SPHINCS+

Note: SPHINCS+ is one of the NIST Post-Quantum Cryptography Selected Digital Signature Algorithms of 2022 along with CRYSTALS-DILITHIUM and FALCON.

SPHINCS+ is a refinement of SPHINCS, incorporating "multiple improvements, specifically aimed at reducing signature size."
pyspx — Python bindings for SPHINCS+
List of software known to the SPHINCS+ team

Signatures: SPHINCS-256

Note that SPHINCS-256 has been superseded by SPHINCS+.

SPHINCS — a high-security post-quantum stateless hash-based signature scheme (Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Peter Schwabe, and Zooko Wilcox-O'Hearn)
sphincs256 — practical stateless hash-based signature scheme (Yawning Angel)
sphincs — Erlang NIF for SPHINCS-256: practical stateless hash-based signatures (Alexander Færøy)
cr3 — simple pipe using crazy/crappy crypto for encryption and signing (Stefan Marsiske)
SPHINCS-256-py — A Python implementation of the SPHINCS scheme (Joost Rijneveld)
sphincs.js — JavaScript wrapper for an asm.js build of SPHINCS (Cyph)
SPHINCS-golang — SPHINCS: practical stateless hash-based signatures
supersphincs — SPHINCS and RSASSA-PKCS1-v1_5 paired together as a single signing scheme (Cyph)
sphincs_sha256 — Implementation of the SPHINCS digital signature scheme using SHA256 (Stefan Kölbl)
pitchforkedsphincs — armedsphincs ported to pitchfork (pitchfork)
SPHINCS-arduinodue — Implementation of the stateless hash-based signature scheme SPHINCS-256 on an Arduino Due board (Aymeric Genet)
Haraka — a secure and efficient short-input hash function (includes a SPHINCS implementation instantiated with Haraka)
codecrypt — Post-quantum cryptography tool (Mirek Kratochvil)
SPHINCS-SHAKE256 — Modified version of SPHINCS-256, using SHAKE256 as the underlying hash function rather than ChaCha/BLAKE
sphincs — Optimized implementations for cryptographic hash functions for the use in hash-based signature schemes (Stefan Kölbl)
SUPERCOP — a cryptographic benchmarking suite

pqm4

Post-quantum crypto library for the ARM Cortex-M4

The pqm4 library, benchmarking and testing framework started as a result of the PQCRYPTO project funded by the European Commission in the H2020 program. It currently contains implementations of 8 post-quantum key-encapsulation mechanisms and 3 post-quantum signature schemes targeting the ARM Cortex-M4 family of microcontrollers.

pqhw

Post-quantum crypto implementations for the FPGAs

The pqhw implementations are a result of the PQCRYPTO project funded by the European Commission in the H2020 program. Note that these are research oriented implementations and not ready for productive use. It is published under the license contained in the license.rtf file and allows evaluation by academics but no commercial use.

Help wanted!

hs-nacl wants McBits support, and would probably like pull requests

Timeline notes

See also this Wikipedia article for further reading.

2006-05-23/26: PQCrypto 2006 (Leuven, Belgium)
2008-10-17/19: PQCrypto 2008 (Cincinatti, OH, USA)
2010-05-25/28: PQCrypto 2010 (Darmstadt, Germany)
2011-11-29/12-02: PQCrypto 2011 (Taipei, Taiwan)
2013-06-04/07: PQCrypto 2013 (Limoges, France)
2013-06-16: McBits is introduced
2014-10-01: SPHINCS is introduced
2014-10-01/03: PQCrypto 2014 (Waterloo, Ontario, Canada)
2015-04-08: draft-irtf-cfrg-xmss-hash-based-signatures-00
2015-11-05: "Newhope" Ring-LWE-based key exchange first introduced
2016-02-24/26: PQCrypto 2016 (Fukuoka, Japan)
2016-05-06: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
2016-05-18: BoringSSL gets concatenated X25519 + Newhope (post-quantum) key agreement
2016-06-28: Mini PQC Workshop (Utrecht, Netherlands)
2016-07-07: Google publishes "Experimenting with Post-Quantum Cryptography"
2016-08-10: Winner of the 2016 Internet Defense Prize: Post-quantum Key Exchange — A New Hope
2016-10-26: Botan 1.11.33 adds Newhope support
2016-11-28: Adam Langley (Google) publishes the results of their CECPQ1 experiment
2016-12-17: NewHope-Simple is introduced
2016-12-20: NIST requests nominations for pqcrypto algorithms
2017-06-19/23: Summer School on Post-Quantum Cryptography 2017 (Utrecht, Netherlands)
2017-06-26/28: PQCrypto 2017 (Utrecht, Netherlands)
2018-03-14: libpqcrypto is announced
2018-04-09/11: PQCrypto 2018 (Fort Lauderdale, FL, USA)
2018-12-12: Adam Langley (Google) announces CECPQ2
2018-12-28: The year in post-quantum crypto
2019-01-01: tinyssh-20190101 introduces sntrup4591761x25519-sha512@tinyssh.org
2019-01-18: Cloudflare announces experimental support for two post-quantum key agreement algorithms
2019-01-30: NIST PQC Standardization Process: Announcement of 2nd Round Candidates
2019-04-02: OpenSSH 7.7 adds experimental support for PQC XMSS keys (Extended Hash-Based Signatures), not compiled in by default
2019-04-18: OpenSSH 8.0 adopts sntrup4591761x25519-sha512@tinyssh.org (not enabled by default)
2019-05-08/10: PQCrypto 2019 (Chongqing, China)
2019-06-20: Cloudflare introduces CIRCL
2019-10-30: Cloudflare announces results of its post-quantum experiment with Google
2020-09-21/23: PQCrypto 2020 (Paris, France)
2020-12-29: OpenSSH replaces sntrup4591761x25519-sha512@tinyssh.org with sntrup761x25519-sha512@openssh.com (not enabled by default)
2021-02-01: wolfSSL: Post Quantum Algorithms in SSH
2021-03-03: OpenSSH 8.5 supports sntrup761x25519-sha512@openssh.com (disabled by default)
2021-03-19: TinySSH 20210319 supports sntrup761x25519-sha512@openssh.com
2021-05-28: OpenBSD IKED gets sntrup761x25519 key exchange
2021-07-20/22: PQCrypto 2021 (Daejeon, South Korea)
2021-09-01: wolfSSL and libOQS Integration
2021-11-03: OpenIKED 7.0 supports Streamlined NTRU Prime (coupled with X25519) as sntrup761x25519
2022-02-10: OpenSSH 8.9 will enable the sntrup761x25519-sha512@openssh.com KEM
2022-02-23: OpenSSH 8.9 is released, including sntrup761x25519-sha512@openssh.com enabled by default
2022-04-08: OpenSSH 9.0 is released, elevating sntrup761x25519-sha512@openssh.com to the default key exchange
2022-07-05: NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
2022-07-30: An efficient key recovery attack on SIDH
2022-08-04: Cloudflare experiments with x25519-kyber for TLS
2022-08-05: DJB: Announcing my second lawsuit against the U.S. government
2023-09-19: Signal announces PQXDH
2022-09-28/30: PQCrypto 2022 (online)
2023-10-03: The inability to count correctly: Debunking NIST's calculation of the Kyber-512 security level
2024-02-21: iMessage with PQ3: The new state of the art in quantum-secure messaging at scale

Post-quantum crypto support coming soon!

With PQCrypto-VPN, Microsoft is experimenting with pqcrypto
Noise Protocol is discussing its future PQ position, and considering NewHope
curl
Zcash is discussing its future PQ position
Post-quantum KEMs in Age
Peergos will switch to pqcrypto "as soon as a clear candidate arrives."
liboqs — C library for quantum-safe cryptographic algorithms
Who else?!