Post-Quantum Goodies in wolfSSL 5.1.1: FALCON

This is a quote from a message posted by Dustin Moody of NIST on the NIST PQC Forum at :

“Yes - the 3rd round will shortly be ending.  NIST is actively writing the 3rd Round report which will 
explain our rationale for which algorithms we will standardize.   We hope to be able to announce the 
results and report not later than the end of March.”

Dustin Moody, Feb. 9, 2022

So, we can expect some news from NIST in a month or so. With this in mind, we thought this might also be a good time to talk about the FALCON Signature Scheme integration in the wolfSSL v5.1.1 release and some of the other work we have done around post-quantum cryptography.

The FALCON Signature Scheme is a post-quantum algorithm that is a finalist of round 3 of the NIST PQC competition. It shows much promise in that while its artifacts are large and key generation and signing are a bit slower than currently standardized algorithms, signature verification times are much faster which bodes well for IoT and constrained devices.  You can compare the speed in our benchmarking data that can be found in Appendix G of our wolfSSL Manual:

The good news for our customers that want to experiment with FALCON is that it couldn’t be easier! All you need to do is build liboqs, rebuild wolfSSL and add the –with-liboqs flag.  If you built your application to statically link with wolfSSL, you will need to rebuild your application.  If you dynamically link, you do not need to rebuild.  All you have to do now is  swap out your certificates with FALCON certificates!  No code changes are required for your application. You can find instructions and a script for generating a  FALCON certificate chain here:

For customers who want to see post-quantum algorithms working in a real world use-case, we have instructions for you to build a quantum-safe apache web server and curl web client. All you need to do is follow the instructions here:

Finally, just a few words regarding motivation.  Most people understand the harvest and decrypt threat model and thus see the urgency for moving to post-quantum key establishment. However, seeing the motivation for signature schemes might be harder. Suppose you are deploying authentication algorithms on devices that have long lifetimes and are hard to update.  A good example of this might be firmware for industrial machinery or cars.  If the lifetime of your deployment exceeds the time to a cryptographically relevant quantum computer, then you should probably consider experimenting to understand the impact of post-quantum algorithms sooner rather than later.

A full list of what was changed can be found in the wolfSSL ChangeLog (
For questions about wolfSSL or about the latest release contact us at