Skip to main content

Background

Post-quantum cryptography (PQC) refers to algorithms designed to resist attacks from quantum computers. Classical algorithms such as RSA and ECDSA rely on the hardness of integer factorization and discrete logarithms — problems that Shor’s algorithm can solve efficiently on a sufficiently large quantum computer. Dilithium (CRYSTALS-Dilithium) is a lattice-based digital signature scheme standardized by NIST as ML-DSA (FIPS 204). It is the target PQC algorithm for HSM Work’s signing pipeline.

liboqs

liboqs is an open-source C library from the Open Quantum Safe project. It provides implementations of NIST-selected post-quantum algorithms including Dilithium, Kyber, and others.
On Debian/Ubuntu you can install liboqs from source. The library is not currently available in standard package repositories. Follow the liboqs build instructions to compile and install it before building any PQC-dependent components.

liboqs_test

The liboqs_test/ directory contains a minimal version check program that confirms liboqs is installed and accessible: 
#include <oqs/oqs.h>
#include <stdio.h>

int main() {
    printf("liboqs version: %s\n", OQS_VERSION);
    return 0;
}

Build with CMake

A CMakeLists.txt is provided in liboqs_test/. Build and run: 
cmake -S liboqs_test -B liboqs_test/build
cmake --build liboqs_test/build
./liboqs_test/build/liboqs_test
Or compile manually: 
gcc main.c -o liboqs_test -loqs
./liboqs_test
Expected output: 
liboqs version: 0.x.y

PQC in pkcs11-daemon

The pkcs11-daemon includes a stub for PQC key generation in pkcs11-daemon/crypto.h: 
class Crypto {
public:
    static std::string generate_rsa();   // OpenSSL RSA 2048 -> PEM string
    static std::string pqc_generate();   // STUB: not yet implemented
};
Crypto::pqc_generate() is a stub and currently returns an empty string. No Dilithium key material is generated. The function is a placeholder for the planned liboqs integration.

Vault entry

Despite the stub, the daemon still writes a default-pq entry to vault.db at startup: 
std::string pq = Crypto::pqc_generate(); // returns ""
vault.store_key("default-pq", "dilithium", pq);
The vault row is created with type = "dilithium" and an empty data field. Once pqc_generate() is implemented, it will write real Dilithium key material to this entry without requiring changes to the surrounding daemon code.

Roadmap

The planned integration path is:
  1. Implement Crypto::pqc_generate() using OQS_SIG_new(OQS_SIG_alg_dilithium_3) from liboqs
  2. Return the generated Dilithium key pair serialized to a string
  3. Store the key material in vault.db under default-pq
  4. Add a corresponding Crypto::pqc_sign() / Crypto::pqc_verify() interface for signing operations
The liboqs_test program confirms the library is available; passing it is a prerequisite before implementing step 1.

Build docs developers (and LLMs) love

Get started for freeTalk to us