Kernel ML-KEM implementation plans
Eric Biggers
ebiggers at kernel.org
Tue Mar 31 01:11:33 UTC 2026
On Mon, Mar 30, 2026 at 07:44:55PM -0500, Ryan Appel wrote:
> WireGuard was my big implementation user.
Any more details on this? Googling for research papers shows that there
have indeed been several proposals for quantum-resistant WireGuard. But
some use algorithms other than ML-KEM. Others don't modify the kernel
code but rather do the key establishment in userspace. I haven't looked
into the details, but it also sounds like it's not as simple as swapping
out the algorithm, either.
I think step 1 is work out some plan with the WireGuard folks. Which
may or may not turn out to involve in-kernel ML-KEM.
> I also know that VMware uses the kernel crypto space for many of its
> crypto operations. I do not know when they will want ML-KEM and if
> they will want it only within BoringCrypto or OpenSSL, but if there is
> need for it in the market before it can be developed then that makes
> sense.
That code isn't upstream though, right? So even if hypothetically they
(will?) need ML-KEM in the kernel (for what?), that doesn't count for
upstream purposes.
- Eric
More information about the WireGuard
mailing list