Trail of Bits Brings Post-Quantum Cryptography to Python's Most-Downloaded Crypto Library
Key Takeaways
- ▸cryptography v48+ now includes ML-KEM and ML-DSA, making post-quantum cryptography available via pip install for the entire Python ecosystem
- ▸White House executive order mandates federal systems adopt post-quantum key establishment by end of 2030 and digital signatures by end of 2031
- ▸Post-quantum algorithms are significantly larger (10-100x) than classical equivalents but remain performant; they require protocol redesign, not just library swaps
Summary
Trail of Bits has released cryptography version 48 with native support for ML-KEM and ML-DSA, the NIST-standard post-quantum cryptography primitives. With funding from the Sovereign Tech Agency, the implementation enables the Python ecosystem to begin migrating to quantum-resistant algorithms in response to the White House's June 2026 mandate requiring U.S. federal systems to transition to post-quantum key establishment by December 2030 and digital signatures by December 2031.
ML-KEM (key encapsulation mechanism) and ML-DSA (digital signature scheme) are lattice-based algorithms designed to resist attacks from large-scale quantum computers. The cryptography package, the 11th most-downloaded library on PyPI with 1.2 billion monthly downloads, is the cryptographic foundation for critical Python projects including Ansible, Certbot, Apache Airflow, and paramiko. Without post-quantum support in this foundational library, the broader Python ecosystem cannot begin its transition.
The new release includes Rust bindings for both algorithms, cross-binding APIs, and support for AWS-LC as a cryptographic backend. Post-quantum primitives come with important tradeoffs: they are 1-2 orders of magnitude larger than classical equivalents and slightly slower, requiring protocol and wire-format updates beyond simple algorithm substitution. However, on modern hardware, performance remains practical for production use.
- cryptography is foundational infrastructure (11th most-downloaded PyPI package, 1.2B downloads/month); without PQ support here, ecosystem-wide migration cannot proceed



