Post-quantum cryptography libraries
Post-quantum cryptography libraries are software implementations of quantum-resistant algorithms such as ML-KEM, ML-DSA, and SLH-DSA that applications and protocols call instead of, or alongside, classical cryptography. This page is a maintained directory of notable libraries as of early 2026, grouped by role, with notes on which are production-grade and which are research code.
How to read this directory
Most production deployments today use post-quantum algorithms for key exchange in hybrid mode, driven by the harvest now, decrypt later threat; post-quantum signatures see less deployment because certificate ecosystems move slowly (PKI migration to post-quantum). Production-grade below means the maintainers support the code for production use; research means the project itself advises caution. Licenses are summarized; check each project for exact terms.
General-purpose libraries
Libraries applications link against for post-quantum primitives across many schemes.
| Library | Language | Algorithms | License | Link |
|---|---|---|---|---|
| liboqs | C (wrappers: Python, Go, Rust, Java, .NET) | ML-KEM, ML-DSA, SLH-DSA, Falcon, HQC, FrodoKEM, Classic McEliece, BIKE, more | MIT | GitHub |
| Bouncy Castle | Java, C# | ML-KEM, ML-DSA, SLH-DSA, Falcon, FrodoKEM, Classic McEliece, LMS, XMSS, more | MIT-style | bouncycastle.org |
| Botan | C++ | ML-KEM, ML-DSA, SLH-DSA, XMSS, LMS/HSS, FrodoKEM, Classic McEliece | BSD-2-Clause | GitHub |
| Cloudflare CIRCL | Go | ML-KEM, ML-DSA, Kyber, Dilithium, X-Wing hybrid KEM | BSD-3-Clause | GitHub |
| mlkem-native | C | ML-KEM only | Apache-2.0 | GitHub |
liboqs offers the broadest algorithm coverage behind one API and is the standard research and prototyping choice, but its own guidance still favors production-supported implementations for deployment. Bouncy Castle is a long-established production library and the default route for Java and .NET. Botan and CIRCL are maintained production code from single vendors or maintainers; CIRCL powers parts of Cloudflare's edge. mlkem-native, from the Post-Quantum Cryptography Alliance's PQ Code Package project, takes the opposite approach to liboqs: one algorithm, production-grade, with machine-checked proofs for portions of the code, and it is consumed by liboqs itself.
TLS stacks
TLS implementations with built-in post-quantum support, the main deployment vehicle for post-quantum TLS.
| Library | Language | Algorithms | License | Link |
|---|---|---|---|---|
| OpenSSL 3.5+ | C | ML-KEM, ML-DSA, SLH-DSA; hybrid TLS groups on by default | Apache-2.0 | openssl.org |
| BoringSSL | C, C++ | ML-KEM hybrid TLS groups; ML-DSA and SLH-DSA experimental | OpenSSL/ISC mix | GitHub |
| AWS-LC | C | ML-KEM, ML-DSA | Apache-2.0/ISC mix | GitHub |
| s2n-tls | C | Hybrid ML-KEM TLS groups (via AWS-LC) | Apache-2.0 | GitHub |
| wolfSSL | C | ML-KEM, ML-DSA, LMS, XMSS | GPL or commercial | wolfssl.com |
| GnuTLS | C | Hybrid ML-KEM TLS groups (3.8 series) | LGPL-2.1+ | gnutls.org |
All of these are production code. OpenSSL 3.5 (April 2025, LTS) made hybrid key exchange a default for the largest installed base (openssl.org). BoringSSL backs Chrome and Google services and shipped hybrid post-quantum key exchange to browsers first (browser post-quantum adoption). AWS-LC is Amazon's BoringSSL-derived library with FIPS-validated lineage; s2n-tls builds on it and has carried hybrid post-quantum key exchange in AWS services for years, first with pre-standard candidates and now ML-KEM. wolfSSL targets embedded systems and adds the stateful hash-based signatures LMS and XMSS. Outside TLS, OpenSSH ships its own post-quantum key exchange (post-quantum SSH), and Mozilla's NSS provides the hybrid group used by Firefox.
Reference implementations
Source collections meant for study, vendoring, and porting rather than linking as packaged libraries.
| Library | Language | Algorithms | License | Link |
|---|---|---|---|---|
| [[pqclean | PQClean]] | C | ML-KEM, ML-DSA, SLH-DSA, Falcon, HQC, Classic McEliece | CC0/MIT per scheme |
| pq-crystals Kyber | C | Kyber (pre-standard ML-KEM) | CC0/Apache-2.0 | GitHub |
| pq-crystals Dilithium | C | Dilithium (pre-standard ML-DSA) | CC0/Apache-2.0 | GitHub |
| SPHINCS+ reference | C | SPHINCS+ (basis of SLH-DSA) | CC0 | GitHub |
| Falcon reference | C | Falcon (planned FN-DSA / Falcon) | MIT | falcon-sign.info |
PQClean is the curated, continuously tested collection most downstream projects vendor. The team repositories preserve the original NIST Post-Quantum Cryptography Standardization submissions; note that the final FIPS standards differ in small but incompatible ways from the pre-standard Kyber and Dilithium versions.
Language-specific
| Library | Language | Algorithms | License | Link |
|---|---|---|---|---|
| Go standard library (crypto/mlkem) | Go | ML-KEM-768, ML-KEM-1024; X25519MLKEM768 in crypto/tls | BSD-3-Clause | go.dev |
| rustls with aws-lc-rs | Rust | X25519MLKEM768 hybrid TLS | Apache-2.0/MIT/ISC | GitHub |
| pqcrypto crates | Rust | PQClean schemes via bindings | MIT/Apache-2.0 | GitHub |
| RustCrypto | Rust | ML-KEM, ML-DSA, SLH-DSA in pure Rust, pre-1.0 | MIT/Apache-2.0 | GitHub |
| liboqs wrappers | Python, Go, Rust, Java, .NET | All liboqs algorithms | MIT | GitHub |
Go made post-quantum cryptography a standard library feature: Go 1.24 (February 2025) added the crypto/mlkem package and enabled the X25519MLKEM768 hybrid in crypto/tls by default, production-grade and maintained by the Go team. In Rust, rustls gets X25519MLKEM768 through its aws-lc-rs based provider, enabled by default in recent releases as of early 2026; the pure-Rust RustCrypto implementations are convenient but pre-1.0 and not independently audited. Java and .NET developers generally use Bouncy Castle, listed above.
Choosing a library
For production TLS, prefer what your platform already ships: OpenSSL 3.5+, BoringSSL or AWS-LC, the Go standard library, or rustls. For production use of the raw primitives, Bouncy Castle, Botan, CIRCL, AWS-LC, and mlkem-native are maintained for that purpose. For research, benchmarking, or evaluating many algorithms behind one API, use liboqs; for auditable source to vendor into constrained or embedded systems, use PQClean. Whatever the choice, wrapping the library behind an internal interface preserves cryptographic agility for the algorithm changes still ahead. This directory is revised as libraries add algorithms; entries reflect the state as of early 2026.
Sources
- liboqs source repository (Open Quantum Safe project, 2025)
- PQClean source repository (PQClean project, 2025)
- OpenSSL project site (OpenSSL Project, 2025)
- AWS-LC source repository (Amazon Web Services, 2025)
- CIRCL: Cloudflare Interoperable Reusable Cryptographic Library (Cloudflare, 2025)
- Bouncy Castle project site (Legion of the Bouncy Castle, 2025)
- mlkem-native source repository (Post-Quantum Cryptography Alliance, 2025)
- Go 1.24 release notes (Go project, 2025)
Cite this entry
"Post-quantum cryptography libraries." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/pqc-libraries@misc{pqwiki-pqc-libraries,
title = {Post-quantum cryptography libraries},
howpublished = {\url{https://postquantum.wiki/pqc-libraries}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}