pqc.club

Post-Quantum Cryptography Tools and Alternatives

A collection of the best Post-Quantum Cryptography Tools and Alternatives to switch from software using legacy encryption.

For PKI see: https://pkic.org/pqccm/



Visit our sister site: https://cli.club

Communication

Tools

Development

Resources



Email

Tuta: Encrypted email, calendar and contacts.

Tuta has implemented a hybrid custom quantum safe protocol called TutaCrypt which combines a post-quantum Key Encapsulation Mechanism (CRYSTALS-Kyber) and an Elliptic-Curve-Diffie-Hellmann key exchange (x25519).

https://tuta.com/blog/post-quantum-cryptography/

Messaging

Signal: An open-source, encrypted messaging service

Signal is a widely used secure messaging app known for creating the Signal protocol which has been upgraded to use their custom quantum secure PQXDH specification.

https://signal.org/blog/pqxdh/

iMessage: Apple's Instant Messenger

Apple's iMessage now supports PQC3, based on Kyber (ML-KEM) and ECC.

https://security.apple.com/blog/imessage-pq3/

VPN

Mullvad: Secure and private vpn

Mullvad is a trusted secure and private VPN provider which supports PQC algorithms for encrypting your VPN traffic.

https://mullvad.net/en/blog/post-quantum-safe-vpn-tunnels-available-on-all-wireguard-servers

Browsers

Chromium: An open-source browser project

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all Internet users to experience the web.

Enable Kyber here:
chrome://flags/#enable-tls13-kyber

https://security.googleblog.com/2024/09/a-new-path-for-kyber-on-web.html

https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html

https://blog.chromium.org/2024/05/advancing-our-amazing-bet-on-asymmetric.html

Firefox: Privacy first browser

Mozilla Firefox now supports Post-Quantum Cryptography.

In about:config enable the following:
security.tls.enable_kyber
network.http.http3.enable_kyber

https://qubip.eu/transition-of-nss-and-firefox-to-support-the-quantum-secure-internet-browsing/

SSH

OQS-OpenSSH: A PQC fork of OpenSSH

OQS-OpenSSH is a fork of OpenSSH that adds quantum-safe key exchange and signature algorithms using liboqs for prototyping and evaluation purposes. This fork is not endorsed by the OpenSSH project.

https://openquantumsafe.org/applications/ssh.html

OpenSSL

oqs-provider: OpenSSL 3 provider containing post-quantum algorithms

Currently this provider fully enables quantum-safe cryptography for KEM key establishment in TLS1.3 including management of such keys via the OpenSSL (3.0) provider interface and hybrid KEM schemes.

https://openquantumsafe.org/

SCOSSL: The SymCrypt engine for OpenSSL

The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations.

***December 2024 Update: We’re excited to announce the addition of Leighton-Micali Signature Scheme (LMS) and ML-DSA (FIPS 204, formerly Dilithium) into SymCrypt with the December 2024 update.

https://techcommunity.microsoft.com/blog/microsoftsecurityandcompliance/microsofts-quantum-resistant-cryptography-is-here/4238780

BoringSSL: A fork of OpenSSL that is designed to meet Google's needs

Upstream BoringSSL now supports X25519Kyber768Draft00 under the new codepoint 0x6399.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

https://boringssl.googlesource.com/boringssl/

Libraries

liboqs: C library for prototyping and experimenting with quantum-resistant cryptography

liboqs is part of the Open Quantum Safe (OQS) project, which aims to develop and integrate into applications quantum-safe cryptography to facilitate deployment and testing in real world contexts.

The OQS project is supported by the Post-Quantum Cryptography Alliance as part of the Linux Foundation. More information about the Open Quantum Safe project can be found at https://openquantumsafe.org/.

Services

Cloudflare: CDN, Cybersecurity, DNS, Registrar, WAN, Proxy

Since September 2023, Cloudflare has supported post-quantum key agreement algorithms for establishing connections to origin servers (client websites), and is gradually rolling out support for post-quantum cryptography for client connections.

Cloudflare now supports X25519MLKEM768 which is a popular hybrid key agreement using ECC and now standardized ML-KEM.

On essentially all domains served through Cloudflare they have now enabled hybrid post-quantum key agreement.

Cloudflare is also a leading company in PQC research.

https://pq.cloudflareresearch.com/

https://blog.cloudflare.com/pq-2024/

https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-support/

AWS KMS: Key Management Service

Create and control keys used to encrypt or digitally sign your data.

AWS Key Management Service (AWS KMS) supports a hybrid post-quantum key exchange option for the Transport Layer Security (TLS) network encryption protocol.

(ECDH + Kyber)

https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html

Information

QUBIP: Leading the transition to PQC

QUBIP project leads the integration of Post-Quantum algorithms into protocols, networks and systems we use today.

https://qubip.eu/

tldr.fail: PQC Client-Hello bug

The migration to post-quantum cryptography is being held back by buggy servers that do not correctly implement TLS. Due to a bug, these servers reject connections that use post-quantum-secure cryptography, instead of negotiating classical cryptography if they do not support post-quantum cryptography.

https://tldr.fail/

Other Resources

Blog Posts:
https://www.kaspersky.com.au/blog/postquantum-cryptography-2024-implementation-issues/34061/
https://security.googleblog.com/2024/09/a-new-path-for-kyber-on-web.html
https://security.googleblog.com/2024/08/post-quantum-cryptography-standards.html
https://bughunters.google.com/blog/5108747984306176/google-s-threat-model-for-post-quantum-cryptography

Websites:
https://openquantumsafe.org/
https://pq.cloudflareresearch.com
https://csrc.nist.gov/pqc-standardization
https://github.com/Fraunhofer-AISEC/pqdb

Other PQC Lists:
https://openquantumsafe.org/applications/external.html
https://github.com/open-quantum-safe/oqs-demos

Top

For recommendations please submit an issue on github.

Email: contact@pqc.club