Post-Quantum Cryptography Becomes a Reality in OpenSSL
The latest release of OpenSSL, version 3.5 — a Long-Term Support (LTS) version maintained until April 2030 — introduces support for three cryptographic algorithms that the National Institute of Standards and Technology (NIST) officially standardized last year. These algorithms mark a significant step forward in integrating post-quantum cryptography into mainstream security protocols, preparing systems for the advent of quantum computing capabilities.
The three algorithms incorporated in this release are ML-KEM, ML-DSA, and SLH-DSA. Each plays a crucial role in enhancing the resilience and security of digital communications in a post-quantum world.
Understanding the New Algorithms Introduced in OpenSSL 3.5
ML-KEM: Module-Lattice-Based Key Encapsulation Method
ML-KEM is a key encapsulation mechanism designed to securely exchange cryptographic keys. Its computational performance closely resembles that of traditional pre-quantum solutions, which means it operates at comparable speeds. However, it requires a moderate increase in the size of the transmitted messages and keys, a common trait among post-quantum algorithms due to the larger underlying mathematical structures they utilize.
ML-DSA: Module-Lattice-Based Digital Signature Algorithm
ML-DSA serves as a digital signature scheme, providing a method to verify the authenticity and integrity of digital messages. While relatively straightforward to implement, its signatures tend to be larger and less compact than those generated by classical, pre-quantum algorithms. Nonetheless, it offers a valuable layer of security resilient to quantum attacks, making it a vital component for future-proof digital signatures.
SLH-DSA: Stateless Hash-Based Digital Signature Standard
The SLH-DSA represents a fallback or contingency algorithm in case ML-DSA is found vulnerable in practice. It leverages the well-established XMSS (eXtended Merkle Signature Scheme) and FORS (Forest of Random Subsets) protocols, which are hash-based and considered highly secure against quantum computing threats. Its stateless nature simplifies deployment and management, as it eliminates the need for state synchronization, a common complexity in hash-based signature schemes.
Implementation Details Drawn from BoringSSL
The implementation of ML-DSA in OpenSSL is derived from BoringSSL’s version, ensuring a robust, tested foundation. Similarly, the support for ML-KEM is based on a C++ codebase that has been ported to C and refactored for broader compatibility. This version includes three hybrid key-exchange schemes, combining traditional and post-quantum algorithms to ensure interoperability and security.
OpenSSL 3.5 introduces several other notable features, including:
- Server-side support for the QUIC protocol, an increasingly popular transport layer network protocol designed for speed and efficiency
- Support for third-party QUIC stacks, with APIs enabling 0-RTT (zero round-trip time) connection features, reducing latency
- Transition from the 3DES cipher to AES-256 for commands related to certificate signing requests (req), Cryptographic Message Syntax (CMS), and MIME (Multipurpose Internet Mail Extensions)
- An option labeled no-tls-deprecated-ec, allowing administrators to disable support for deprecated elliptic curve groups at compile time, aligning with RFC 8422 standards
This progression in OpenSSL exemplifies the ongoing efforts to integrate cutting-edge cryptographic standards to ensure secure communications even in the face of emerging quantum threats. The adoption of these post-quantum algorithms signifies a critical shift toward more resilient encryption practices across internet security infrastructure.
