Post-Quantum TLS

The Transport Layer Security (TLS) protocol

The Transport Layer Security (TLS) protocol is one of the most widely-used security protocols in use today, protecting the information exchanged between web clients and servers all around the world. While TLS is secure against today’s classical computers, the asymmetric cryptography in TLS is unfortunately vulnerable to future attacks from quantum computers.


Both the RSA and Elliptic Curve Diffie-Hellman asymmetric algorithms which set up the TLS exchange will succumb to Shor’s algorithm on a sufficiently large quantum computer. While a quantum computer of that size and stability may be 5 to 15 years off, cryptographers from around the world are already working to identify new, quantum-safe algorithms.

Post-Quantum Cryptography TLS

Given the importance of TLS, preparing for the transition to post-quantum cryptography needs to start now.  Asymmetric cryptography in TLS is vulnerable in two places:

  • Key exchange: the server and client exchange cryptographic messages use asymmetric key exchange algorithms (such as RSA and ECDH) to derive a symmetric key. The symmetric key then encrypts the rest of the session. (As above, the symmetric key algorithms used in key exchange (e.g., AES) aren’t as vulnerable to quantum computers so we simply need to increase their key length to secure against a quantum adversary.)
  • Authentication: during this step, the server (and optionally the client) proves its identity using its certificate’s public key, involving signature algorithms such as RSA or ECDSA.

In the future, quantum-safe algorithms will replace the use of RSA, ECDH, and ECDSA.

We recommend using these schemes in hybrid mode until the cryptographic community gains full confidence in the new post-quantum cryptography. In hybrid mode, both key exchanges and signatures are performed in parallel, generating both a classical exchange/signature and a post-quantum one. The resulting messages/signatures are combined, offering the security against both current and future attacks.

A PQ Crypto fork of OpenSSL

OpenSSL is an open-source implementation of the Transport Layer Security (TLS) protocol. We are collaborating with the Open Quantum Safe project to integrate post-quantum cryptography into TLS 1.2 and 1.3.

The Open Quantum Safe OpenSSL repository contains a fork of OpenSSL 1.1.1 that adds quantum-resistant key exchange and signature algorithms using liboqs for prototyping purposes. The library supports both hybrid and post-quantum key exchange and authentication.  The post-quantum key exchange algorithms FrodoKEM and SIKE, and the signature algorithms Picnic and qTESLA, co-developed by Microsoft, are integrated into this project.

These libraries are for prototyping, experimentation, and for evaluating quantum-resistant cryptography. Post-quantum cryptography is an active area of research, and the security of proposed quantum-resistant algorithms may rapidly change as research advances. Any specific PQ algorithm including those used here may prove be insecure.

The PQ fork of OpenSSL can be obtained here:

More information

For more information on Microsoft’s work in Post-Quantum Cryptography, see our main project page: