Source linked

Trail of Bits Ships ML-KEM and ML-DSA to Python's Top Crypto Library

blog.trailofbits.com@threat_watch2 hours ago·Systems Engineering·1 comments

Post-quantum key establishment and digital signatures are now one pip install away for 1.2-billion-downloads-per-month pyca/cryptography, with concrete migration deadlines set by the White House.

trail of bitspyca cryptographyml kemml dsapost quantum cryptographypython

The White House says attackers may already be storing encrypted data today for quantum decryption tomorrow, and pyca/cryptography just gave 1.2 billion monthly pip installs a way to fight back. Trail of Bits shipped ML-KEM (FIPS 203) and ML-DSA (FIPS 204) into pyca/cryptography version 48, making NIST-standard post-quantum primitives available to every Python project from Ansible to Certbot to Apache Airflow.

The Numbers That Matter for Migration

Federal deadlines are concrete: December 31, 2030 for post-quantum key establishment on high-value systems, and December 31, 2031 for digital signatures. But the cryptographic library has to expose the algorithms first. pyca/cryptography is the eleventh most-downloaded package on PyPI, pulling 1.2 billion downloads in the last month alone. Without it, the Python ecosystem can't even begin the transition.

Size changes are brutal. Ed25519's 32-byte public key becomes 1,952 bytes for ML-DSA-65. That signature goes from 64 bytes to 3,309 bytes. For key exchange, X25519's 32-byte public key becomes 1,184 bytes for ML-KEM-768, and the shared secret output becomes 1,088-byte ciphertext. If your protocol hardcodes 32-byte fields, you're not doing a simple algorithm swap — you're redesigning wire formats, length prefixes, and chunking logic.

How the API Changes

ML-DSA mirrors the existing sign/verify pattern. Generate an MLDSA65PrivateKey, grab the public key, sign a message. The verify call raises InvalidSignature on failure. Straightforward.

ML-KEM is a different beast — it's a key encapsulation mechanism, not Diffie-Hellman. The receiver generates a keypair and publishes the public key. The sender calls public_key.encapsulate() to get a fresh shared secret and a ciphertext. The receiver calls private_key.decapsulate(ciphertext) to recover the same secret. No key agreement exchange. That mental model change matters for protocol designers.

What's Still Missing

SLH-DSA (FIPS 205), the hash-based signature standard, isn't in v48. Trail of Bits has started work on it. SLH-DSA offers a conservative fallback: huge signatures and slow signing, but security that relies only on hash functions studied for decades. If lattice-based ML-DSA gets broken, SLH-DSA is the hedge.

Primitives alone won't finish the migration. Tools like Certbot and Ansible need the protocols (TLS, SSH, code signing) to support these algorithms first. Trail of Bits is actively working with maintainers to integrate PQ algorithms into those protocols. The library is shipped; the hard part — protocol redesign and testing — is next.

Source: Shipping post-quantum cryptography to Python
Domain: blog.trailofbits.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Systems Engineering

view topic
80-Core Arm Desktop Experiment Ends in PCIe Erratum Defeat

After 11 months, Marcin Juszkiewicz gave up on an Ampere Altra Q80-30 desktop because a hardware erratum crippled AMD GPU support and forced him back to a 6-core Ryzen.

Xkernel Lets You Tune Linux Kernel Magic Numbers at Runtime Without Reboot

A new system called Xkernel uses Scoped Indirect Execution to safely modify any performance-critical constant in a running Linux kernel, claiming significant performance gains without downtime.

Agent libOS Kills Permission Escalation in Self-Evolving LLM Agents

Agent libOS prevented 100% of unauthorized side effects across 27 deterministic tasks, with only a 7% conservative false-denial rate, enabling safe self-evolution for LLM agents.

SHIFT Framework Relocates Compute, Beats Wafer-Scale LLM Services 5.9x

SHIFT moves running compute contexts to better chiplet locations, achieving up to 12.5x throughput, 58.3% energy-per-bit savings, and 4.9x runtime improvements over wafer-scale LLM services.

Comments load interactively on the live page.