Review: The State of Post-Quantum Cryptography in Rust
391 views
Skip to first unread message
David Nugent
Aug 1, 2025, 6:22:07 AM8/1/25
to pqc-forum
Hi everyone,
As we all know, proper implementation is critical for secure adoption of the NIST PQC standards. I recently completed a review of current Rust support for ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205), looking at available packages, their testing practices, and any evidence of independent audits.
In short: some packages appear production-ready, but I’m not aware of an audited Rust crate that covers all three algorithms.
I hope this overview will be useful for engineers planning migrations to post-quantum algorithms. If I’ve overlooked a relevant package, or if you spot an error in my findings, I’d welcome corrections and additions!
All the best,
David
Blumenthal, Uri - 0553 - MITLL
Aug 1, 2025, 6:33:00 AM8/1/25
to David Nugent, pqc-forum
Who cares if algorithms implemented one per crate, or three in one crate?
—
Regards,Uri
Secure Resilient Systems and Technologies
MIT Lincoln Laboratory
On Aug 1, 2025, at 06:22, David Nugent <d...@projecteleven.com> wrote:
This Message Is From an External SenderThis message came from outside the Laboratory.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/ab8d6dc9-6c3f-4559-aade-aa83b79a8ca1n%40list.nist.gov.
Aiden Fox-Ivey
Aug 2, 2025, 3:26:31 PM8/2/25
to Blumenthal, Uri - 0553 - MITLL, David Nugent, pqc-forum
I can think of a few reasons, but one might be that it means less overhead for an independent auditor - since they can assure that a crate as of some specific hash has been inspected.
It is also maybe more likely than not that someone using a given algorithm is disproportionately likely to also another algorithm that is similarly standardized.
I suspect that since the code does not (to my knowledge) consist of a large amount of generics, it should be relatively fast to build in one crate, so there wouldn't be much compile-time advantage to splitting up different algorithms.
Best,
Aiden
It is also maybe more likely than not that someone using a given algorithm is disproportionately likely to also another algorithm that is similarly standardized.
I suspect that since the code does not (to my knowledge) consist of a large amount of generics, it should be relatively fast to build in one crate, so there wouldn't be much compile-time advantage to splitting up different algorithms.
Best,
Aiden
Reply all
Reply to author
Forward
0 new messages