wolfTPM Post-Quantum Cryptography Release: ML-DSA and ML-KEM Support via TCG TPM 2.0 Library Specification v1.85

    • Post-Quantum Support Is Here

    wolfTPM is available with post-quantum cryptography support added through the TCG TPM 2.0 Library Specification v1.85. ML-DSA (FIPS 204) signing and ML-KEM (FIPS 203) key encapsulation are now supported by the wolfTPM client library against any v1.85-capable TPM 2.0 target. The work merged in PR #445.

    New v1.85 Commands

    The following post-quantum commands are now implemented in the client library:

    Command Description
    TPM2_Encapsulate ML-KEM key encapsulation
    TPM2_Decapsulate ML-KEM key decapsulation
    TPM2_SignSequenceStart ML-DSA signing of arbitrary-length messages
    TPM2_SignSequenceComplete ML-DSA sign sequence completion
    TPM2_VerifySequenceStart ML-DSA verification start
    TPM2_VerifySequenceComplete ML-DSA verification completion
    TPM2_SignDigest Hash-ML-DSA pre-hashed signing
    TPM2_VerifyDigestSignature Hash-ML-DSA pre-hashed verification

    Supported Parameter Sets

    Algorithm FIPS Standard Parameter Sets
    ML-DSA FIPS 204 ML-DSA-44 / 65 / 87
    ML-KEM FIPS 203 ML-KEM-512 / 768 / 1024

    Built on wolfCrypt

    The post-quantum path is built on wolfCrypt’s NIST-validated ML-DSA and ML-KEM implementations, the same cryptographic core that drives wolfSSL TLS 1.3 post-quantum support. Wire formats follow the TCG specification exactly. wolfTPM’s small footprint and zero dynamic allocation in hot paths make the post-quantum commands available on the same embedded targets the rest of the library runs on.

    Build Instructions

    To enable post-quantum support, build wolfSSL with the following configuration:

    # wolfSSL with PQC + keygen
./configure --enable-wolftpm --enable-pkcallbacks \
            --enable-keygen --enable-dilithium \
            --enable-mlkem --enable-experimental \
            --enable-harden CFLAGS="-DWC_RSA_NO_PADDING"
make && sudo make install

    Then build wolfTPM with fwTPM and v1.85 support:

    # wolfTPM with fwTPM + v1.85
./configure --enable-fwtpm --enable-pqc
make
make check

    Example programs are in examples/pqc/.

    If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

    Download wolfSSL Now