2025-10-08 –, Prague/ Technical Deep Dive & Innovation
As post-quantum cryptography (PQC) continues to evolve, ensuring a smooth and adaptable transition for end users, developers, and system administrators remains a top priority. Our presentation and live demo will showcase the establishment of a PQC TLS 1.3 connection using OpenSSL-based servers and Firefox-based clients, leveraging both key exchange and authentication. These research results are part of a Horizon Europe project named QUBIP.
In QUBIP, we aim to enable the PQC transition for three major practical exercises: quantum-secure IoT-based digital manufacturing, quantum-secure internet browsing, and quantum-secure software network environments for telco operators. Our talk is focused on quantum-secure internet browsing.
We will conclude the session by describing the broader methodology behind these efforts and how shallow loadable modules can empower users, system administrators, developers, and cryptographers alike to achieve greater flexibility and security in a post-quantum world.
Keywords: PQC, Provider, PKCS#11
Our presentation and live demo will showcase a system-level overview of the internet browsing pilot of the QUBIP project.
This integration establishes TLS 1.3 PQC connections
achieving both key exchange and authentication using PQC (hybrid) algorithms.
After establishing a PQC TLS 1.3 connection using our server and client, we will inspect the browser’s security tab when connecting to the web server.
We illustrate how the user experience remains intentionally "boring", signaling a successful, non-disruptive deployment of advanced cryptographic protocols. Beneath this simplicity, however, lies a powerful infrastructure of client-side and server-side components.
On the client side, we employ a nightly build of Firefox enhanced with PQC authentication and key exchange capabilities, made possible through qryptotoken — a Rust-based soft-token derived from the Kryoptic project — loaded alongside Firefox's default NSS soft-token.
On the server side, we leverage vanilla nginx running over OpenSSL 3.2 with our aurora provider, a Rust-written OpenSSL provider designed to boost cryptographic agility by enabling flexible backend implementations for PQC primitives.
While some of these results could be approximated using vanilla Firefox and OpenSSL with the oqsprovider — or OpenSSL 3.5+ — our approach enhances cryptographic agility through shallow loadable modules, leveraging the new Provider API and PKCS#11, to decouple stable systems from the rapidly evolving PQC ecosystem,
offering valuable tools for developers and security researchers.
