OpenSSL and PQC/FIPS support

[Raghu Chidambaram]

Hi Team,

Our organization is planning to go for PQC support so that application is quantum safe.

we are already FIPS 140-2 compliant and we are also in the process of making it FIPS 140-3 compliant as 140-2 will be sunset by Sep 2026.

FIPS

- Our application is FIPS 140-2 and with FIPS provider 3.0.9. We made this possible with the help of lot of to and fro discussions over the OpenSSL Forum for good amount of time :) :) .

For 140-3 we did analysis and understood that with OpenSSL version say 3.5.x we need to bundle the FIPS provider version 3.1.2 ( 140-3 compliant ) instead of 3.0.9( 140-2) compliant. Hope this is correct.

PQC

- For PQC we just started analysis and checking which all algorithms we need to use in order to make it PQC compliant. As part of this we want to understand which of OpenSSL supports PQC and is there any doc / list which conveys like from algorithm A we need to move to algorithm, means how to migrate from current set to PQC safe set is what we are checking mainly. 

- one more point what we understood from the discussions internally and with the teams who are handling inside our organization that FIPS and PQC cant go hand in hand, like if we are in FIPS 140-3 version we cant claim for PQC as algo's are different and if we are going to be PQC safe then we can't claim FIPS 140-3 support, is this correct statement? or our assumption is wrong?

Need your help and inputs to proceed on these aspects 

Thank you,

Raghu

[Neil Horman]

Raghu-

     PQC algorithms approved by FIPS include FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA).  These are supported currently only by the 3.5.4 FIPS provider and later versions.  Currently 3.5.4 is undergoing review with our lab and NIST:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list

FIPS and PQC are definitely _not_ mutually exclusive, you can definitely use both PQC algorithms and be FIPS-140-3 compliant.  The only current barrier is that our provider has not yet been certified by NIST.  That need not be a barrier for you however, if you are planning on doing a full submission of openssl through your own lab (though the time effort on that is constrained by your lab and NIST).

Neil

--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/9d605db8-9220-491c-9424-12b42ed92948n%40openssl.org.

[Martin Bonner]

My reading of the original email is that Raghu’s organization achieved FIPS compliance by using the FIPS-approved OpenSSL provider.  This is good, because I would have said that it while it is touch-and-go whether OpenSSL 3.5.4 is going to be FIPS-approved before Sep 2026, it is very unlikely that a submission made today by Raghu’s organization would be approved by then.

 

There is also a question of whether Raghu’s organization needs “FIPS approved”, or whether “FIPS pending” is good enough.  It is almost inconceivable to me that 3.5.4 won’t be eventually approved, it’s just a matter of bureaucracy.  OTOH, if FIPS approved is a contractual requirement (e.g. because the US Government is a customer), then until 3.5.4 is approved, FIPS and PQC are mutually exclusive with OpenSSL (and FIPS is impossible between Sep 2026 and the approval of 3.5.4).

 

On “PQC equivalents for classical algorithms”, don’t forget that if you are using AES128 you need to switch to AES256 (but AES256 is already considered acceptable).

 

Martin Bonner

 

 

From: Neil Horman <nho...@openssl.org>
Sent: 15 April 2026 14:53
To: Raghu Chidambaram <pcraghu...@gmail.com>
Cc: openssl-users <openss...@openssl.org>
Subject: [EXTERNAL] Re: OpenSSL and PQC/FIPS support

 

Raghu- PQC algorithms approved by FIPS include FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA). These are supported currently only by the 3. 5. 4 FIPS provider and later versions. Currently 3. 5. 4 is undergoing review with our lab and

To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/CAJbOq16tR2n_U1tWtzbCUzt57PjEZQbiJRjvM-3vPQ3gkrGyXA%40mail.gmail.com.

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

[Raghu Chidambaram]

Thanks Martin Bonner and Neil,

Thanks for the information.

 then until 3.5.4 is approved, FIPS and PQC are mutually exclusive with OpenSSL (and FIPS is impossible between Sep 2026 and the approval of 3.5.4).

- [Raghu] so both are mutually exclusive if i understood correctly.

These are supported currently only by the 3.5.4 FIPS provider and later versions.  Currently 3.5.4 is undergoing review with our lab and NIST:

-[Raghu] I have little confusion here, when we are talkin about the OpenSSL version 3.5.4 is undergoing review means the FIPS provider ( fips modules) inside that 3.5.4 version which also contains the SSL and Crypto libraries am i correct. Just like OpenSSL 3.0.9 got FIPS 140-2 , OpenSSL 3.1.2 version got FIPS 140-3 , similarly OpenSSL 3.5.4 is going for CMVP validation and it will be 140-3 compliant or some other FIPS compliant?

PQC algorithms approved by FIPS include FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA)

-[Raghu] only above 3 algorithms are FIPS approved as of today? is that correct statement.

FIPS and PQC are definitely _not_ mutually exclusive, you can definitely use both PQC algorithms and be FIPS-140-3 compliant.

- [Raghu] we have release our application to all the products/customer in Dell saying that we are FIPS compliant, i m part of Dell Organization previously we were using OpenSSL 1.0.2 FIPS version which was supported by OpenSSL team for few years later we moved to OpenSSL 3.0.x and now we are at OpenSSL 3.5.5 version in our application.

so we cant use few algorithms which are PQC and few which are FIPS 140-3 and claim for both? is that correct? we want to claim FIPS 140-3 as of now which is in progress and if we move to PQC safe algorithms ( somehow not sure as of now) then we cant claim for FIPS 140-3 right?

Thanks,

Raghu

[Raghu Chidambaram]

HI Team,

GM,

In https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list

OpenSSL FIPS Provider
The OpenSSL Corporation 

• OpenSSL Corporation
• corpo...@openssl.org
• Voice: 877-673-6775

FIPS 140-3
Pending Review (11/25/2025)

For the above OpenSSL FIPS validation is in progress, that means here with OpenSSL 3.5.4 which contains the PQC related algorithms.

so once this get the approval then all the PQC algorithms which are part of this OpenSSL will be FIPS 140-3 compliant and as i mentioned earlier then we can 

take this OpenSSL 3.5.4 FIPS provider and bundle in our application to claim both PQC and FIPS compliant ?

please correct me if our understanding is wrong

Thanks,

Raghu

[Martin Bonner]

> then all the PQC algorithms which are part of this OpenSSL will be FIPS 140-3 compliant

 

Not quite (or at least, not necessarily).  The correct statement is “all the algorithms (including PQ algorithms) supported by the FIPS provider in this OpenSSL will be FIPS 140-3 compliant”. 

 

I haven’t checked, but it is perfectly possible that there are unapproved PQ algorithms which are supported by the base provider.  In the classical world, the base provider supports CAMELLIA (or at least, it used to), the FIPS provider has never supported CAMELLIA because it isn’t an approved algorithm.

 

Martin Bonner

 

 

From: Raghu Chidambaram <pcraghu...@gmail.com>
Sent: 16 April 2026 07:12
To: openssl-users <openss...@openssl.org>
Cc: Raghu Chidambaram <pcraghu...@gmail.com>; Martin Bonner <Martin...@entrust.com>
Subject: Re: [EXTERNAL] Re: OpenSSL and PQC/FIPS support

 

HI Team, GM, In https: //csrc. nist. gov/projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list OpenSSL FIPS Provider The OpenSSL Corporation OpenSSL Corporation corporation@ openssl. org Voice: 877-673-6775 FIPS

[Raghu Chidambaram]

Thanks Martin Bonner,

Not quite (or at least, not necessarily).  The correct statement is “all the algorithms (including PQ algorithms) supported by the FIPS provider in this OpenSSL will be FIPS 140-3 compliant”. 

-- As we are claiming for FIPS 140-3 for our application we need to ourselves make sure that we use only PQC safe algorithms which are approved in the OpenSSL 3.5.4 ( once it is done ) to claim both PQC and FIPS compliant :) :)

Thanks,

Raghu

[Raghu Chidambaram]

Hi Team,

Not quite (or at least, not necessarily).  The correct statement is “all the algorithms (including PQ algorithms) supported by the FIPS provider in this OpenSSL will be FIPS 140-3 compliant”. 

-- As we are claiming for FIPS 140-3 for our application we need to ourselves make sure that we use only PQC safe algorithms which are approved in the OpenSSL 3.5.4 ( once it is done ) to claim both PQC and FIPS compliant :) :)

is this correct understanding for the both claims?

[Martin Bonner]

The point I was trying to make, is that you will need to ensure you are using the FIPS provider (and not the default provider) if you want to claim FIPS compliance. Obviously if you want to claim PQ safety, you will need to make sure you use PQ safe algorithms.  (Personally I would strongly consider use hybrid algorithms, but that is up to you.)

 

Martin Bonner

 

 

From: Raghu Chidambaram <pcraghu...@gmail.com>
Sent: 23 April 2026 08:41
To: openssl-users <openss...@openssl.org>
Cc: Raghu Chidambaram <pcraghu...@gmail.com>; Martin Bonner <Martin...@entrust.com>
Subject: Re: [EXTERNAL] Re: OpenSSL and PQC/FIPS support

 

Hi Team, Not quite (or at least, not necessarily). The correct statement is “all the algorithms (including PQ algorithms) supported by the FIPS provider in this OpenSSL will be FIPS 140-3 compliant”. -- As we are claiming for FIPS 140-3 for

[Raghu Chidambaram]

Thanks Martin Bonner,

Obviously if you want to claim PQ safety, you will need to make sure you use PQ safe algorithms.  (Personally I would strongly consider use hybrid algorithms, but that is up to you.)

- yes this is what i m also understanding and it is hybrid but we need to use the PQ safe algo which are FIPS certified correct?