Why does the current oqs-provider repo expose no PQC algorithms (Kyber, Dilithium, ML‑DSA) even though the provider loads successfully?

155 views
Skip to first unread message

Charles Emuze

unread,
May 7, 2026, 2:40:05 PM (2 days ago) May 7
to pqc-forum

Hi everyone,
I’m trying to set up a PQC‑TLS test environment using OpenSSL 3.0.2 on Ubuntu 22.04.5. I built liboqs from source (shared library, Kyber + ML‑DSA enabled), and OpenSSL successfully loads the OQS provider. However, when I run:

openssl list -kem-algorithms openssl list -signature-algorithms

I get no Kyber, Dilithium/ML‑DSA, or any PQC algorithms at all.

I verified the following:

  • oqsprovider loads and shows as active
  • liboqs.so is correctly linked
  • oqsconfig.h shows Kyber and ML‑DSA enabled
  • No errors during build
  • CMake ignores flags like OQS_PROVIDER_ENABLE_KEMS or OQS_PROVIDER_ENABLE_SIGS
  • Searching the current oqs-provider repo shows no KEM/SIG registration code (no Kyber, Dilithium, ML‑DSA, SPHINCS+, etc.)

It looks like the current oqs-provider repository no longer contains the PQC algorithm registration code that older versions used to expose.

My question:
Is the removal of PQC algorithms from the oqs-provider repository intentional?
If so, what is the recommended repository or branch for obtaining a PQC‑enabled OpenSSL 3 provider (Kyber, Dilithium/ML‑DSA, etc.) for research and TLS experimentation?

Any guidance or pointers to the correct historical commit or replacement project would be greatly appreciated.

Thanks!

Simo Sorce

unread,
May 7, 2026, 3:30:55 PM (2 days ago) May 7
to pqc-...@list.nist.gov
On Thu, 2026-05-07 at 11:40 -0700, Charles Emuze wrote:
>
> Hi everyone,
> I’m trying to set up a PQC‑TLS test environment using OpenSSL 3.0.2 on
> Ubuntu 22.04.5. I built liboqs from source (shared library, Kyber + ML‑DSA
> enabled), and OpenSSL successfully loads the OQS provider. However, when I
> run:
> openssl list -kem-algorithms openssl list -signature-algorithms
>
> I get no Kyber, Dilithium/ML‑DSA, or any PQC algorithms at all.
>
> I verified the following:
>
> - oqsprovider loads and shows as active
> - liboqs.so is correctly linked
> - oqsconfig.h shows Kyber and ML‑DSA enabled
> - No errors during build
> - CMake ignores flags like OQS_PROVIDER_ENABLE_KEMS or
> OQS_PROVIDER_ENABLE_SIGS
> - Searching the current oqs-provider repo shows no KEM/SIG registration
> code (no Kyber, Dilithium, ML‑DSA, SPHINCS+, etc.)
>
> It looks like the current oqs-provider repository no longer contains the
> PQC algorithm registration code that older versions used to expose.
>
> *My question:*
> Is the removal of PQC algorithms from the oqs-provider repository
> intentional?
> If so, what is the recommended repository or branch for obtaining a
> PQC‑enabled OpenSSL 3 provider (Kyber, Dilithium/ML‑DSA, etc.) for research
> and TLS experimentation?
>
> Any guidance or pointers to the correct historical commit or replacement
> project would be greatly appreciated.
>
> Thanks!

OpenSSL 3.5 and 4.0 have native PQC algorithms you do not need a
special provider anymore.

Best,
Simo.

--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

Ayoub Zaki

unread,
May 7, 2026, 4:27:39 PM (2 days ago) May 7
to Simo Sorce, pqc-...@list.nist.gov
I think you need at least OpenSSL 3.2.x version to work.



--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/5bba5b473f23f0bc7e03706b71501b97a2e2500f.camel%40redhat.com.

Ayoub Zaki

unread,
May 7, 2026, 4:29:06 PM (2 days ago) May 7
to Simo Sorce, pqc-...@list.nist.gov
I did some work around that while ago check this docker container:

Reply all
Reply to author
Forward
0 new messages