Paragon Initiative Enterprises Blog

The latest information from the team that develops cryptographically secure PHP software.

Post-Quantum Cryptography for the PHP Community

by P.I.E. Staff

Open Source

Recently, Google announced an aggressive 2029 timeline for migrating to Post-Quantum Cryptography. Earlier today, Cloudflare announced that they're matching Google on a 2029 roadmap.

It's high time the PHP community took this threat seriously as well.

Last year, we proposed a roadmap for getting post-quantum cryptography in the PHP ecosystem. We received a lot of valuable feedback in the discussions that followed and decided to shift gears a little.

Today, we're releasing two open source projects to help PHP software mitigate the risk of a cryptography relevant quantum computer (CRQC).

ext-pqcrypto

ext-pqcrypto is a PHP extension in Rust, made possible by the ext-php-rs project. It wraps the RustCrypto post-quantum KEMs and digital signature algorithms for use in PHP software.

Once installed, it exposes a PQCrypto namespace.

<?php
if (!extension_loaded('pqcrypto')) {
    die('extension not loaded');
}
[$sk, $pk] = PQCrypto\XWing::generateKeypair();

[$sharedSecret, $ciphertext] = $pk->encapsulate();
$recipientSecret = $sk->decapsulate($ciphertext);

assert(hash_equals($recipientSecret, $sharedSecret));

As more community resources are focused on the RustCrypto implementations of these post-quantum algorithms (i.e., to improve performance and provide higher assurance for the implementations' correctness), our PHP extension will be updated in tandem with new releases. Therefore, the PHP community can benefit automatically from the cryptography engineering already taking place in the Rust ecosystem.

pqcrypto_compat

Installing a PHP extension isn't always an option for the installed base of the PHP programming language.

Many years ago, this observation motivated the creation of sodium_compat (a pure-PHP implementation of libsodium).

Similarly, we are developing pqcrypto_compat: a pure-PHP implementation of these post-quantum algorithms for systems that cannot install ext-pqcrypto. We currently ship all three ML-KEM parameter sets, all ML-DSA parameter sets, and the hybrid X-Wing KEM.

In accordance with the Zeroth Rule of PHP Cryptography, if the extension is installed, the Compat API will prefer the Rust implementation.

<?php
declare(strict_types=1);
use ParagonIE\PQCrypto\Compat;

// Key generation
[$decapsKey, $encapsKey] = Compat::xwing_keygen();

// Encapsulation
['sharedKey' => $ss, 'ciphertext' => $ct] = Compat::xwing_encaps($encapsKey);

// Decapsulation
$sharedKey = Compat::xwing_decaps($decapsKey, $ct);
var_dump(hash_equals($ss, $sharedKey)); // bool(true)

Closing Thoughts

We are not yet "pencils down" on this software. There will be bugs. Don't rush to deploy this into production yet.

With those caveats in mind, we hope by making these algorithms to the PHP community, we can all be ready to switch by the year 2029. The only way to get there is to start working on the migration today.

Permalink
License: Creative Commons Attribution-ShareAlike 4.0 International CC-BY-SA 4.0 Intl
View source (Markdown)

About the Author

P.I.E. Staff

Paragon Initiative Enterprises

Paragon Initiative Enterprises is a Florida-based company that provides software consulting, application development, code auditing, and security engineering services. We specialize in PHP Security and applied cryptography.

About

Paragon Initiative Enterprises
offers technology consulting and web development services to businesses with attention to security above and beyond compliance.

Our Professional Experience

Blog Categories

  1. Business
  2. Paragon Initiative
    1. Community
      1. Gossamer
      2. Open Source
      3. Pharaoh
      4. Security Advice
    2. Our Products
      1. ASGard
      2. Airship
      3. Ward
    3. Slice of PIE
  3. Security News
  4. Technology
    1. Cryptology
    2. Databases
    3. Hardware
    4. Programming
    5. Quality Assurance
    6. Security Engineering
    7. System Administration
  5. Uncategorized

Tags

  1. .NET
  2. Access Controls
  3. Application Security
  4. Authentication
  5. Authorization
  6. Automatic Updates
  7. Business
  8. CSPRNG
  9. Central Florida
  10. Confidentiality
  11. Cryptography
  12. Data Science
  13. Encryption
  14. HTTPS
  15. Integrity
  16. Libsodium
  17. Login
  18. Networking
  19. Node.js
  20. OWASP
  21. OWASP Top Ten
  22. Open Source
  23. Orlando
  24. PHP
  25. PostgreSQL
  26. Public Key Cryptography
  27. Python
  28. Ruby
  29. SQL
  30. SQL Injection
  31. Secret Key Cryptography
  32. Security
  33. Signatures
  34. Statistics
  35. Vulnerability
  36. Web Development
  37. XSS

Mailing Lists

  1. Paragon Initiative Quarterly
  2. Paragon Initiative Vanguard

Elsewhere

  1. ParagonIE on Github
  2. @ParagonIE
  3. Paragonie on Facebook

Need Technology Consultants?

Will tomorrow bring costly and embarrassing data breaches? Or will it bring growth, success, and peace of mind?

Our team of technology consultants have extensive knowledge and experience with application security and web/application development.

We specialize in cryptography and secure PHP development.

Let's Work Together Towards Success

Our Security Newsletters

Want the latest from Paragon Initiative Enterprises delivered straight to your inbox? We have two newsletters to choose from.

The first mails quarterly and often showcases our behind-the-scenes projects.

The other is unscheduled and gives you a direct feed into the findings of our open source security research initiatives.

Quarterly Newsletter   Security Announcements