A new Linux Foundation initiative, the Post-Quantum Cryptography Alliance (PQCA), launched in February 2024. The PQCA brings together industry leaders, researchers, and developers to work on open source software for post-quantum cryptography. But what is post-quantum cryptography, and why is it important? This article outlines the PQCA’s goals, current work, and future work.
Public key cryptography is an essential part of our digital infrastructure today. It underlies many of the protocols and algorithms that provide security assurances upon which modern systems depend, such as the Transport Layer Security (TLS) protocol to secure "https" websites and digital signature algorithms used to sign and verify software packages for developers' use. However, the advent of quantum computers means that all of these commonly used public key algorithms could be broken by quantum computation.
The security threat of quantum computation has been known for a while — in 1994, Shor’s algorithm, which can break RSA- and elliptic curve-based cryptography, was developed — but this threat has been confined mostly to theory until recently. Developments and advancements in quantum technology have made the possibility of practical quantum computers seemingly much closer toreality. Once (powerful enough) quantum computers are feasible to construct, they may be able to decrypt essentially all present-day communications, which would undermine security for every system and everyone using current cryptography. This threat underscores the importance of developing and implementing cryptographic algorithms that are resistant to quantum cryptography: post-quantum cryptography.
The Post-Quantum Cryptography Alliance (PQCA) started with a conversation at the Linux Foundation Member Summit in Lake Tahoe. As research in post-quantum cryptography continued to be of interest, and as standards developed, various actors, ranging from universities to companies to government, have become involved in post-quantum cryptography. Most notable among these initiatives have been the National Institute of Standards and Technology (NIST)’s Post-Quantum Cryptography Standardization Project and Crypto Forum Research Group within the Internet Engineering Task Force.
However, what was missing was a coordinated effort amongst all actors to help advance and facilitate implementations of these algorithms. Research and standardization are a necessary first step, but they require implementation and adoption in order for a post-quantum future to be a reality. Moreover, in order to ensure wide adoption of these algorithms, we need to have software implementations that are widely used, reliable, and open source. This is where the PQCA is stepping in.
The overarching goal of the PQCA is to advance the adoption of post-quantum cryptography. It can achieve this with the twin sub-goals of first, producing high-assurance software implementations of standardized algorithms; and second, supporting the continued development and standardization of new post-quantum algorithms.
While the first concrete action of the PQCA has been to focus on building a broad coalition in order to carry out its mission, one of the core missions is to gather and help foster industry-wide adoption of the new post-quantum algorithms by gathering various implementations and ensuring they are ready for production use. The aim is to bring a combination of large and small companies creating, testing, and adopting these new post-quantum algorithms, and assist with integration of these algorithms into existing systems in use.
Currently, the PQCA has two primary projects under its umbrella. The first project is Open Quantum Safe, an open source project that includes: liboqs – an open source C library for quantum-resistant cryptographic algorithms – and prototype integrations into protocols and applications, including the widely used OpenSSL library. Open Quantum Safe has been in development for over ten years and was initially started as a project at the University of Waterloo.
The second project is the PQ Code Package project. This project aims to build high-assurance and formally verified software implementations of standards-track post-quantum cryptography algorithms. The initial focus of the project is the ML-KEM (Kyber) algorithm, which was selected for standardization; it is believed to be a viable public key encryption algorithm to provide quantum-resistant confidentiality to widely-used protocols such as TLS and SSH.
The PQCA would love to collaborate with you on existing post-quantum cryptography projects to build the community and help envision our future. Both the Open Quantum Safe and PQ Code Package projects are available today on GitHub for collaboration and feedback. We would also love proposals and submissions of new projects that the PQCA should be working on or helping support as well. For example, this may include tooling to facilitate adoption and testing of the new post-quantum algorithms or software that aids cryptographic agility or PQC migration.
Ultimately, all projects under the Linux Foundation succeed only when people are able to dedicate their time and effort to contribute code and build the community. To learn more about the PQCA, visit the website at https://pqca.org/. To get involved, sign up for the PQCA’s mailing list, follow the work on GitHub, or join the Discord. The PQCA welcomes your participation to help ensure a secure and reliable post-quantum future!