wolfTPM Prepares for the Post Quantum Era

    • Enabling CNSA 2.0 Compliance with ML-DSA and ML-KEM in Hardware Security Modules

    The cryptographic landscape is rapidly evolving. With quantum computing advancing from theoretical to practical, organizations worldwide are racing to protect their systems against future quantum threats. The NSA’s Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) has set clear timelines for transitioning to post-quantum cryptography (PQC), and the Trusted Computing Group (TCG) is leading the charge at the hardware level.

    Download wolfSSL →

    What’s Coming in TCG TPM 2.0 v1.85

    The TCG TPM 2.0 Library Specification v1.85—currently in draft RC2—introduces native support for NIST’s newly standardized post-quantum algorithms directly in the Trusted Platform Module. This is a game-changer for embedded security.

    ML-DSA (Dilithium – FIPS 204) — Post-Quantum Digital Signatures

    The specification adds robust support for ML-DSA, the lattice-based digital signature algorithm standardized by NIST. New TPM commands enable both immediate and streaming signature operations:

    • TPM2_SignDigest/TPM2_VerifyDigest — Direct signing and verification of message digests
    • TPM2_SignVerifyStart, TPM2_SignSequenceComplete, TPM2_VerifySequenceComplete — Streaming APIs for handling large messages efficiently within TPM memory constraints

    ML-KEM (Kyber – FIPS 203) — Post-Quantum Key Encapsulation

    For secure key exchange, v1.85 brings ML-KEM support with dedicated encapsulation commands:

    • TPM2_Encapsulate/TPM2_Decapsulate — Hardware-protected key encapsulation mechanism operations

    These primitives enable quantum-resistant TLS handshakes, secure boot chains, and encrypted storage—all with keys that never leave the TPM.

    wolfTPM: Ready When You Are

    At wolfSSL, we’re planning to bring v1.85 support to wolfTPM in early 2026, ensuring our customers have a clear path to CNSA 2.0 compliance ahead of anyone else. Our portable TPM 2.0 library will provide:

    • Full API coverage for ML-DSA and ML-KEM commands
    • Seamless integration with wolfCrypt’s post-quantum implementations
    • Cross-platform support across embedded, RTOS, and desktop environments

    Hardware Considerations

    The transition to PQC-capable TPMs will vary by vendor:

    • Firmware Updates: Some existing TPM chips may receive firmware updates enabling PQC support
    • New Hardware: Other platforms will require next-generation TPM chips with dedicated PQC acceleration

    We’re already working closely with silicon partners to ensure wolfTPM provides a consistent abstraction layer regardless of the underlying hardware path.

    Stay tuned for our official release announcement. Contact us at facts@wolfssl.com or call us at +1 425 245 8247 to discuss your post-quantum migration strategy.
    Download wolfSSL Now