wolfTPM – Add TPM 2.0 v1.85 PQC Post-Quantum Support

    • As the cybersecurity landscape prepares for the advent of quantum computing, the Trusted Platform Module (TPM) ecosystem is evolving to meet these new challenges. wolfSSL is proud to announce that wolfTPM now includes initial support for the TPM 2.0 Library Specification v1.85, bringing Post-Quantum Cryptography (PQC) capabilities to your hardware-backed security workflows.

    This update introduces support for the National Institute of Standards and Technology (NIST) standardized algorithms: ML-DSA (Dilithium) and ML-KEM (Kyber).

    ML-DSA: Quantum-Resistant Digital Signatures
    The transition to PQC requires more than just new algorithms; it requires new ways of interacting with TPM hardware. wolfTPM now supports the sequence-based signing and verification commands required by ML-DSA, including:

    • TPM2_SignSequenceStart / TPM2_VerifySequenceStart
    • TPM2_SignSequenceComplete / TPM2_VerifySequenceComplete
    • TPM2_SignDigest / TPM2_VerifyDigestSignature

    These commands allow for context-based signing, ensuring that large messages can be processed securely through the TPM’s post-quantum engines.

    ML-KEM: Enhanced Key Encapsulation
    For secure key exchange, wolfTPM now implements the ML-KEM (formerly Kyber) commands:

    • TPM2_Encapsulate: A public-key operation to generate a shared secret and a ciphertext.
    • TPM2_Decapsulate: A private-key operation used to recover the shared secret from the ciphertext.

    New PQC Types and Structures
    To support these advanced algorithms, we have integrated several new types and structure tags into our library, such as TPM2B_KEM_CIPHERTEXT, TPM2B_SHARED_SECRET, and TPM_ST_MESSAGE_VERIFIED. These additions ensure that your application can seamlessly handle the larger key sizes and unique data structures associated with post-quantum algorithms.

    Getting Started
    To explore these new features, ensure you are using a TPM that supports the v1.85 specification. You can find new unit tests in the wolfTPM source code to help guide your implementation:

    • test_wolfTPM2_MLDSA_*
    • test_wolfTPM2_MLKEM_*

    For more details, view the full Pull Request #445 on GitHub.

    Interested in a commercial license or post-quantum consulting? Contact us at facts@wolfssl.com or call +1 425 245 8247.

    Download wolfSSL Now