pqc.club
Post-Quantum Cryptography Tools and Alternatives
A collection of the best Post-Quantum Cryptography Tools and Alternatives to switch from software using legacy encryption.For PKI see: https://pkic.org/pqccm/
Visit our sister site: https://cli.club
Communication
Tools
Development
Resources
Tuta: Encrypted email, calendar and contacts.
Tuta has implemented a hybrid custom quantum safe protocol called TutaCrypt which combines a post-quantum Key Encapsulation Mechanism (CRYSTALS-Kyber) and an Elliptic-Curve-Diffie-Hellmann key exchange (x25519). https://tuta.com/blog/post-quantum-cryptography/
Messaging
Signal: An open-source, encrypted messaging service
Signal is a widely used secure messaging app known for creating the Signal protocol which has been upgraded to use their custom quantum secure PQXDH specification. https://signal.org/blog/pqxdh/
iMessage: Apple's Instant Messenger
Apple's iMessage now supports PQC3, based on Kyber (ML-KEM) and ECC. https://security.apple.com/blog/imessage-pq3/
VPN
Mullvad: Secure and private vpn
Mullvad is a trusted secure and private VPN provider which supports PQC algorithms for encrypting your VPN traffic. https://mullvad.net/en/blog/post-quantum-safe-vpn-tunnels-available-on-all-wireguard-servers
Browsers
Chromium: An open-source browser project
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all Internet users to experience the web. Enable Kyber here: chrome://flags/#enable-tls13-kyber https://security.googleblog.com/2024/09/a-new-path-for-kyber-on-web.html https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html https://blog.chromium.org/2024/05/advancing-our-amazing-bet-on-asymmetric.html
Firefox: Privacy first browser
Mozilla Firefox now supports Post-Quantum Cryptography. In about:config enable the following: security.tls.enable_kyber network.http.http3.enable_kyber https://qubip.eu/transition-of-nss-and-firefox-to-support-the-quantum-secure-internet-browsing/
SSH
OQS-OpenSSH: A PQC fork of OpenSSH
OQS-OpenSSH is a fork of OpenSSH that adds quantum-safe key exchange and signature algorithms using liboqs for prototyping and evaluation purposes. This fork is not endorsed by the OpenSSH project. https://openquantumsafe.org/applications/ssh.html
OpenSSL
oqs-provider: OpenSSL 3 provider containing post-quantum algorithms
Currently this provider fully enables quantum-safe cryptography for KEM key establishment in TLS1.3 including management of such keys via the OpenSSL (3.0) provider interface and hybrid KEM schemes. https://openquantumsafe.org/
SCOSSL: The SymCrypt engine for OpenSSL
The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations. ***December 2024 Update: We’re excited to announce the addition of Leighton-Micali Signature Scheme (LMS) and ML-DSA (FIPS 204, formerly Dilithium) into SymCrypt with the December 2024 update. https://techcommunity.microsoft.com/blog/microsoftsecurityandcompliance/microsofts-quantum-resistant-cryptography-is-here/4238780
BoringSSL: A fork of OpenSSL that is designed to meet Google's needs
Upstream BoringSSL now supports X25519Kyber768Draft00 under the new codepoint 0x6399. Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability. https://boringssl.googlesource.com/boringssl/
Libraries
liboqs: C library for prototyping and experimenting with quantum-resistant cryptography
liboqs is part of the Open Quantum Safe (OQS) project, which aims to develop and integrate into applications quantum-safe cryptography to facilitate deployment and testing in real world contexts. The OQS project is supported by the Post-Quantum Cryptography Alliance as part of the Linux Foundation. More information about the Open Quantum Safe project can be found at https://openquantumsafe.org/.
Services
Cloudflare: CDN, Cybersecurity, DNS, Registrar, WAN, Proxy
Since September 2023, Cloudflare has supported post-quantum key agreement algorithms for establishing connections to origin servers (client websites), and is gradually rolling out support for post-quantum cryptography for client connections. Cloudflare now supports X25519MLKEM768 which is a popular hybrid key agreement using ECC and now standardized ML-KEM. On essentially all domains served through Cloudflare they have now enabled hybrid post-quantum key agreement. Cloudflare is also a leading company in PQC research. https://pq.cloudflareresearch.com/ https://blog.cloudflare.com/pq-2024/ https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-support/
AWS KMS: Key Management Service
Create and control keys used to encrypt or digitally sign your data. AWS Key Management Service (AWS KMS) supports a hybrid post-quantum key exchange option for the Transport Layer Security (TLS) network encryption protocol. (ECDH + Kyber) https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html
Information
QUBIP: Leading the transition to PQC
QUBIP project leads the integration of Post-Quantum algorithms into protocols, networks and systems we use today. https://qubip.eu/
tldr.fail: PQC Client-Hello bug
The migration to post-quantum cryptography is being held back by buggy servers that do not correctly implement TLS. Due to a bug, these servers reject connections that use post-quantum-secure cryptography, instead of negotiating classical cryptography if they do not support post-quantum cryptography. https://tldr.fail/
Other Resources
Blog Posts: https://www.kaspersky.com.au/blog/postquantum-cryptography-2024-implementation-issues/34061/ https://security.googleblog.com/2024/09/a-new-path-for-kyber-on-web.html https://security.googleblog.com/2024/08/post-quantum-cryptography-standards.html https://bughunters.google.com/blog/5108747984306176/google-s-threat-model-for-post-quantum-cryptography Websites: https://openquantumsafe.org/ https://pq.cloudflareresearch.com https://csrc.nist.gov/pqc-standardization https://github.com/Fraunhofer-AISEC/pqdb Other PQC Lists: https://openquantumsafe.org/applications/external.html https://github.com/open-quantum-safe/oqs-demos
For recommendations please submit an issue on github.
Email: contact@pqc.club