Douglas Stebila, University of Waterloo
We’re pleased to announce the recent release of liboqs version 0.14.0 from the Open Quantum Safe project. liboqs 0.14.0 has several enhancements and security improvements.
This is the first release of liboqs to include the stable 1.0.0 version of PQ Code Package’s mlkem-native software, which features high performance C, AArch64, and AVX2 assembly implementations of ML-KEM. The C implementation in ML-KEM is accompanied by memory- and type-safety proofs, and the AArch64 assembly implementation has functional correctness proofs.
This release introduced support for SNOVA, a NIST Additional Signatures Round 2 candidate, and has a new optimized implementation of SHA3 using AVX-512VL instructions. This release also introduced a number of improvements to testing and infrastructure. The OQS project is now publishing benchmarking data on https://openquantumsafe.org/benchmarking and code coverage data on https://coveralls.io/github/open-quantum-safe/liboqs.
This release is the last one that will include both Dilithium (the NIST Round 3 version) and ML-DSA (the standardized version from FIPS 204). Future releases will only support ML-DSA. We strongly encourage applications to transition to ML-DSA as soon as possible. Please contact us if you have any concerns.
The full list of algorithms supported in liboqs 0.14.0 is:
- Key encapsulation mechanisms: BIKE, Classic McEliece, FrodoKEM, HQC, Kyber, ML-KEM, NTRU-Prime
- Signature schemes: CROSS, Dilithium, Falcon, LMS, MAYO, ML-DSA, SNOVA, SPHINCS+, UOV, XMSS
A security issue was fixed in this release of liboqs, reported as CVE-2025-52473. Multiple secret-dependent branches were identified in the reference implementation of the HQC key encapsulation mechanism when it is compiled with Clang for optimization levels above -O0 (-O1, -O2, etc). HQC was disabled from the default built of liboqs in a previous release of liboqs, so this bug only affected users who explicitly enabled HQC in their build. The vulnerability was reported by Zhenzhi Lai and Zhiyuan Zhang from the University of Melbourne and the Max Planck Institute for Security and Privacy.
Upcoming liboqs releases. You can track progress on the next liboqs release on Github. The next release will likely take place in September or October 2025. We hope to include several more algorithms from the NIST Additional Signatures standardization project (with work in progress on SQIsign), as well as include SLH-DSA (FIPS 205) and add support again for the NTRU algorithm.
Getting involved. We are always looking for help in continuing to develop and maintain liboqs. We would be happy to receive more contributions of algorithms from the NIST Additional Signatures Round 2 candidates. We can always use more help on improving build support and our testing infrastructure, improve documentation, and fix bugs. Feel free to reach out to us on Github, by email, or pop by our weekly status call. Subscribe to the OQS Technical Steering Committee mailing list to get notifications of upcoming meetings or check the PQCA’s calendar.