BotBeat
...
← Back

> ▌

Trail of BitsTrail of Bits
OPEN SOURCETrail of Bits2026-07-04

Trail of Bits Brings Post-Quantum Cryptography to Python's Most-Downloaded Crypto Library

Key Takeaways

  • ▸cryptography v48+ now includes ML-KEM and ML-DSA, making post-quantum cryptography available via pip install for the entire Python ecosystem
  • ▸White House executive order mandates federal systems adopt post-quantum key establishment by end of 2030 and digital signatures by end of 2031
  • ▸Post-quantum algorithms are significantly larger (10-100x) than classical equivalents but remain performant; they require protocol redesign, not just library swaps
Source:
Hacker Newshttps://blog.trailofbits.com/2026/06/30/shipping-post-quantum-cryptography-to-python/↗

Summary

Trail of Bits has released cryptography version 48 with native support for ML-KEM and ML-DSA, the NIST-standard post-quantum cryptography primitives. With funding from the Sovereign Tech Agency, the implementation enables the Python ecosystem to begin migrating to quantum-resistant algorithms in response to the White House's June 2026 mandate requiring U.S. federal systems to transition to post-quantum key establishment by December 2030 and digital signatures by December 2031.

ML-KEM (key encapsulation mechanism) and ML-DSA (digital signature scheme) are lattice-based algorithms designed to resist attacks from large-scale quantum computers. The cryptography package, the 11th most-downloaded library on PyPI with 1.2 billion monthly downloads, is the cryptographic foundation for critical Python projects including Ansible, Certbot, Apache Airflow, and paramiko. Without post-quantum support in this foundational library, the broader Python ecosystem cannot begin its transition.

The new release includes Rust bindings for both algorithms, cross-binding APIs, and support for AWS-LC as a cryptographic backend. Post-quantum primitives come with important tradeoffs: they are 1-2 orders of magnitude larger than classical equivalents and slightly slower, requiring protocol and wire-format updates beyond simple algorithm substitution. However, on modern hardware, performance remains practical for production use.

  • cryptography is foundational infrastructure (11th most-downloaded PyPI package, 1.2B downloads/month); without PQ support here, ecosystem-wide migration cannot proceed
CybersecurityGovernment & DefensePrivacy & DataOpen Source

Comments

Suggested

AnthropicAnthropic
POLICY & REGULATION

Anthropic Receives Cease and Desist Over Claude Desktop Privacy Violations

2026-07-04
AI Industry (Analysis & Commentary)AI Industry (Analysis & Commentary)
POLICY & REGULATION

Senate Proposes Federal Framework for Trustworthy AI Agent Providers

2026-07-04
AIR BlackboxAIR Blackbox
RESEARCH

Security Research Exposes How Fake AI Agent Skills Bypass Multiple Scanners

2026-07-04
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us