Post-Quantum Cryptography Alliance One Year Anniversary

It’s hard to believe that one year has passed since the start of the PQCA!  The year has been very busy for both PQCA and the broader developer community working towards widespread adoption of post-quantum cryptography (PQC).  We’ve seen some big developments from mainstream companies:  Apple switched over its iMessage protocol to post-quantum cryptography almost exactly a year ago (with a security review co-led by our very own Douglas Stebila!), setting the stage for a number of high-profile migrations.  AWS announced a detailed roadmap this past December with very detailed information for users of their cloud services.  With all of this momentum, It certainly appears to us that 2025 is going to be the biggest year yet for post-quantum cryptography, which is something that both excites us and we feel is necessary to prepare for the eventual arrival of powerful quantum computers.

So how did we get here?  The PQCA was founded a year ago by a number of companies, including AWS, Cisco, Google, IBM, and NVIDIA, in close consultation with Douglas Stebila and the Open Quantum Safe (OQS) project to provide a home for post-quantum cryptography code projects in the Linux Foundation.  As the world’s most trusted foundation for open source software, hosting projects like the Linux kernel, Kubernetes, and the Academy Software Foundation, the Linux Foundation was a natural place for a collaborative development effort in post-quantum cryptography.  However, the PQCA’s goals include not only core cryptographic development but also to building tools to make PQC and PQC migration easier for those that might not have access to cryptographers, as well as education and outreach.       

The PQCA currently has three main projects.  The first project, contributed by Douglas Stebila and Michele Mosca from the University of Waterloo, was the famous OQS project.  OQS was already being used, even in practice, by early PQC adopters, and has been very strongly supported by the broader academic cryptography community.  Soon afterwards, the Post-Quantum Code Package (PQCP) project was started by a diverse group of contributors from both industry and academia, with a focus on formally verified implementations for the NIST-approved standards.  We have also seen the development of tooling for PQC migration, including a nifty new tool that automatically generates a cryptographic bill of materials (CBOM).  We will next explain a little more about these PQCA projects.

We emphasize that the PQCA is always willing to host new projects that meet our criteria in the PQC space. If you’re interested in potentially contributing or starting a project, please reach out to us or attend one of our technical advisory committee (TAC) meetings.  We would love to hear from you on this!

Main Projects

Open Quantum Safe (OQS)

It was a year of firsts for liboqs, the C library which forms the core of the OQS software suite. Following its mission to support research in quantum-safe cryptography, OQS released four versions of liboqs, which added support for six new algorithms, including ML-KEM and ML-DSA, two of the NIST standards published in August 2024. This year also saw the project’s first integration of formally verified code: Formosa Crypto’s implementation of Kyber. Augmenting its research focus, OQS took steps to harden the security of liboqs. The library was integrated into Google’s OSS-Fuzz project and had its core code audited by Trail of Bits. Earlier this month, OQS adopted its first official security response process for liboqs.

All of the new algorithms in liboqs were made available in OpenSSL via oqs-provider, which saw four releases in the past year. The OQS forks of BoringSSL and OpenSSH were also brought up to date and released. The oqs-demos repository, which contains Docker images for proof-of-concept quantum-safe versions of applications such as cURL, Nginx, and Chromium, was revitalized. The liboqs-cpp, liboqs-go, liboqs-java, liboqs-python, and liboqs-rust projects, which enable the use of liboqs in additional programming languages, each saw releases to stay in sync with liboqs and add improvements of their own.

In its first year as a Linux Foundation project, OQS saw fruitful collaborations with a number of partners within the PQCA. Among these were integrations with the Post-Quantum Code Package’s implementation of ML-KEM and NVIDIA’s cuPQC CUDA library for GPU-accelerated quantum-safe cryptography. OQS also received substantial contributions from engineers at PQCA member companies, including AWS, Cisco, IBM, and SandboxAQ.

In the year ahead, OQS aims to add support for additional signature algorithms, including SLH-DSA, FN-DSA, and submissions to the NIST signature on-ramp. OQS is also looking to grow its small base of maintainers, which is a necessary step to drive further security improvements. If you have benefited from OQS software, we encourage you to invest in the project’s future by contributing.

OQS is a community-driven project, and we are grateful for all the partners and contributors—academic, industrial, and independent—who have supported development over the past year. We look forward to another year of aiding the transition to quantum-resistant cryptography.

PQ Code Package (PQCP)

One year ago, the PQCA launched the PQ Code Package (PQCP) project with the vision of creating a central hub for high-assurance implementations of standardized post-quantum cryptography algorithms and simplifying access to these crucial tools for developers and researchers.

Our first year saw significant progress. A transparent project structure has been developed with the technical direction of the project managed through regular, publicly accessible meetings of a Technical Steering Committee (TSC). Details are in the PQCA calendar, and minutes on GitHub. Discussions are also taking place in the public PQCA discord channel and GitHub. 

On the technical side, one highlight is the development of mlkem-native. This project, led by Hanno Becker (AWS) and Matthias Kannwischer (Chelpis), has produced a fast, secure, and portable C90 implementation of the ML-KEM / FIPS 203 standard, based on the reference implementation from the algorithm’s authors, the CRYSTALS team. mlkem-native offers high performance through aggressive optimization backed by formal verification, both at the C-level (using CBMC) and at the assembly-level (using HOL-Light). mlkem-native is already the default ML-KEM implementation within libOQS.

Another highlight is the completion of the formal verification of an aggressively optimized AVX2 rejection sampling routine for mlkem-libjade matching the performance of non-verified code. This work will be presented at IEEE S&P 2025. mlkem-libjade provides self-contained formally verified x86-64 assembly implementations of ML-KEM, and is developed by the Formosa Crypto team using Jasmin and EasyCrypt. The formal verification covers full functional correctness, as well as constant-time and speculative constant-time countermeasures.

We also initiated and progressed the following repositories under the PQCP:

• mlkem-rust-libcrux offers a portable ML-KEM implementation in Rust, with ongoing efforts to optimize it for AVX2 and ensure its formal verification.
• mldsa-native aims to develop a production-ready, high-assurance implementation of the ML-DSA signature standard.

Looking ahead, our priorities are to widen the scope of formal verification, especially for AVX2, and to use it as a vehicle for the confident adoption of aggressively optimized assembly. We will also be actively advancing the development of ML-DSA implementations in several projects.

We invite you to contribute to the PQCP and help us build a secure future in the face of quantum computing. Explore our projects on GitHub, join discussions on Discord,  and consider joining our community!

Tooling

Established in 2024, the PQCA Tooling Working Group has made significant progress in improving tooling for post-quantum cryptography. Our primary focus has been on advancing tools for Cryptographic Bill of Materials (CBOMs), a standardized format for representing cryptographic assets. We believe CBOMs will play a critical role in quantum-safe migration and beyond, providing transparency and visibility into cryptographic usage.

Highlights and Outlook

CBOMkit-action: We have developed a GitHub action for generating CBOMs and recently released version v1.1.0 with support for Java and Python. This tool aims to drive CBOM adoption in the open-source community, providing maintainers with an easy-to-use solution for automatic CBOM generation during releases. In 2025, we plan to extend the CBOMkit action to support additional languages.

Driving CBOM Adoption & Community Building: We have taken initial steps to build a sustainable community around our efforts. In 2025, we will continue to engage with open source maintainers and industry stakeholders to foster collaboration and CBOM adoption. Our goal is to expand CBOM support by reaching out to more open source projects and educating maintainers about the benefits of CBOM.

Get Involved

We invite all members of the PQCA community and beyond to contribute to advancing cryptographic transparency through CBOMs:

• Test our Tools: Implement the GitHub Action in your projects and provide feedback.
• Spread Awareness: Share our work within your networks.
• Collaborate: If you maintain an open-source project or library, let us help you integrate CBOMs.
• Join Our Meetings: Participate in our bi-weekly working group meetings to stay updated.

The PQCA Tooling Working Group is a collaborative effort, and we appreciate the support of all members who have contributed to our initiatives. We look forward to another year of facilitating the transition to quantum-safe cryptography through our tooling efforts.

Together, we can ensure that the post-quantum future is open. ❤️

What Next?

The PQCA’s upcoming steps include elections, lifecycle document updates, and project onboarding. First, leadership elections will select the Technical Advisory Committee chair and vice-chair, and the Technical Community Representative. Second, the PQCA lifecycle document, defining project lifecycles, will undergo its mandatory annual revision, requiring votes. Finally, to ensure growth, the contributor and project pipeline will be reviewed and expanded.

Conclusion

In 2025, the quantum computing race intensifies, leading to widespread acceptance of a potential “Q-day” by the decade’s end. To mitigate the risks of a rushed post-quantum cryptography transition, organizations like the PQCA are proactively developing and promoting essential quantum-safe software and algorithms. 

Expect expanded PQCA projects and refinements based on user feedback, with a focus on real world PQC deployment. Join us to contribute to realizing widespread PQC adoption!

Links and References

• To learn more about the PQCA, visit here. 
• Join the PQCA community – https://pqca.org/join/
• For further discussion, please feel free to contact us
• Interact with the community – Get involved
• Contribute to project development here
• Deep dive in to Post Quantum Cryptography Alliance blogpost
• PQCA and NIST’s post-quantum standards blogpost
• PQCA announces Alpha release of ml-kem native blogpost 
• A sub-project, open quantum safe, under the PQCA umbrella.
• A sub-project, PQ-Code package, under the PQCA umbrella.
• NIST Post-Quantum Cryptography  
• Crytography Bill of Material (CBOM)