Compatibility
Library support, browser compatibility, TLS implementations, and platform availability for post-quantum cryptography algorithms. PQC support is evolving quickly — always verify against current release notes before deployment.
Cryptographic libraries
| Library | Language | ML-KEM | ML-DSA | SLH-DSA | Hybrid | Production |
|---|---|---|---|---|---|---|
| OpenSSL 3.5+ | C | 512 / 768 / 1024 | 44 / 65 / 87 | All variants | TLS 1.3 | Yes |
| liboqs 0.11.0+ | C + bindings | All | All | All | Via provider | Yes |
| CIRCL 1.3.0+ | Go | 768 / 1024 | 65 / 87 | — | X25519+ML-KEM | Yes |
| pqcrypto 0.18.0+ | Rust | All | All | All | Manual composition | Yes |
| BouncyCastle 1.78+ | Java / C# | All | All | All | X.509 hybrid | Yes |
| Go stdlib (1.24+) | Go | 768 / 1024 | Planned | — | crypto/tls | Yes |
| wolfSSL | C | All | All | All | TLS 1.3 | Yes |
| WebCrypto | JavaScript | Draft spec | Draft spec | — | TBD | Not yet |
Go stdlib crypto/mlkem (Go 1.24+) provides ML-KEM-768 and ML-KEM-1024.
ML-DSA support is planned for a future release.
Minimum version requirements
| Component | ML-KEM | ML-DSA | SLH-DSA | Notes |
|---|---|---|---|---|
| OpenSSL | 3.5.0 | 3.5.0 | 3.5.0 | Native provider; no OQS provider required |
| liboqs | 0.11.0 | 0.11.0 | 0.11.0 | FIPS 203 / 204 / 205 final specs |
| Go stdlib | 1.24 (768 + 1024) | TBD | — | crypto/mlkem, crypto/tls |
| CIRCL | 1.3.0 | 1.3.0 | — | Final FIPS naming |
| pqcrypto (Rust) | 0.18.0 | 0.18.0 | 0.18.0 | FIPS naming aligned |
| BouncyCastle | 1.78 | 1.78 | 1.78 | Java and C# (BC-FIPS) builds |
| liboqs-python | 0.11.0 | 0.11.0 | 0.11.0 | Matches liboqs version |
TLS and browser support
All major browsers ship X25519MLKEM768 hybrid key exchange by default. The hybrid combines X25519 (classical) with ML-KEM-768 so that a compromise of either component alone does not compromise the session key.
| Browser | First version | Key exchange | Status |
|---|---|---|---|
| Chrome / Chromium | 131+ | X25519MLKEM768 | Production — default enabled. Chrome 124 shipped X25519Kyber768Draft00 (pre-standard); 131+ uses the final ML-KEM codepoint. |
| Firefox | 132+ | X25519MLKEM768 | Production — default enabled. Experimental pref security.tls.enable_kyber present in earlier releases. |
| Safari / WebKit | 26+ (Sep 2025) | X25519MLKEM768 | Production — macOS and iOS. |
| Edge | 131+ (Chromium) | X25519MLKEM768 | Inherits Chromium support; default enabled. |
Server and CDN support
| Platform | Type | Hybrid KEM | PQ certificates | Status |
|---|---|---|---|---|
| Cloudflare | CDN | X25519MLKEM768 | Testing | Production |
| AWS CloudFront | CDN | X25519MLKEM768 | No | Production |
| Google Cloud CDN | CDN | X25519MLKEM768 | No | Production |
| nginx | Web server | Via OpenSSL 3.5 | Via OpenSSL | Available |
| Apache httpd | Web server | Via OpenSSL 3.5 | Via OpenSSL | Available |
| HAProxy | Load balancer | Via OpenSSL 3.5 | Via OpenSSL | Available |
| Caddy | Web server | Go crypto/tls | No | Go 1.24+ |
| Envoy | Proxy | BoringSSL | Experimental | Available |
VPN and messaging protocols
WireGuard
The Rosenpass project provides a post-quantum key exchange layer on top of WireGuard, combining ML-KEM with Classic McEliece. PQWireGuard is a research implementation. Both are experimental — neither is part of the upstream WireGuard codebase.
OpenVPN
OpenVPN gains PQ support through OpenSSL 3.5+ (native ML-KEM / ML-DSA) or the OQS provider for hybrid mode. Configuration is manual; no out-of-the-box PQ defaults.
Signal — PQXDH
Signal deployed PQXDH (Post-Quantum Extended Diffie-Hellman) in September 2023, using Kyber-1024 (pre-standard, predating FIPS 203) combined with X25519. The spec is Signal's own — there is no corresponding IETF draft. Signal's 2025 SPQR ratchet work adds ML-KEM-768. The deployed Kyber-1024 keys are wire-incompatible with FIPS 203 ML-KEM; a migration path is required to move to the final standard.
iMessage — PQ3
Apple's PQ3 protocol provides post-quantum security for iMessage with ongoing ratcheting. Hybrid: P-256 + pre-standard Kyber-768 (deployed March 2024, iOS 17.4+). The Kyber-768 component is wire-incompatible with FIPS 203 ML-KEM — the codepoint and encoding differ from the final standard.
HSM support
Major HSM vendors began shipping PQC firmware in 2024–2025. Thales Luna, Entrust nShield, and Utimaco have released ML-KEM and / or ML-DSA support across recent firmware versions. FIPS 140-3 validation status varies by model and firmware revision — check each vendor's current CMVP certificate list before relying on HSM PQC for validated-module requirements. Older HSM models may not receive PQ firmware upgrades; plan accordingly.
Known compatibility issues
Large ClientHello
Hybrid key shares add roughly 1.2 KB to the TLS ClientHello. Some older firewalls, WAFs, and middleboxes drop oversized records. Mitigation: update or bypass affected middleboxes; configure a classical fallback for legacy paths.
Certificate chain size
PQ certificates are significantly larger than RSA equivalents: an ML-DSA leaf is roughly 3–5 KB versus ~1 KB for RSA; a three-certificate ML-DSA chain runs ~15 KB versus ~3 KB. Certificate compression (RFC 8879) can help. Connection issues at MTU boundaries are possible with uncompressed PQ chains.
Algorithm naming
Some libraries still use pre-standardization names (kyber768,
dilithium3) alongside or instead of the FIPS names
(ML-KEM-768, ML-DSA-65). Check library version
and documentation carefully. Keys generated under old names are
not interchangeable with FIPS-named keys — the encoding
may differ.