[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Post-Quantum Cryptography in Tor's TLS Layer: Help needed!

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] Post-Quantum Cryptography in Tor's TLS Layer: Help needed!
From: Alexander Hansen Færøy via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Feb 2026 15:15:02 +0100
Cc: Alexander Hansen Færøy <ahf@xxxxxxxxxxxxxx>
List-id: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays.lists.torproject.org>
Reply-to: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird

Hello Tor Relay Operators,

With the arrival of OpenSSL 3.5.0 in 2025, we finally had an important missingpiece of infrastructure to start enabling the Tor network to supportPost-Quantum Cryptography in the outermost cryptographic layer of the Torprotocol. Since Tor version 0.4.8.17, we have supported the x25519/ML-KEM-768hybrid handshake in our TLS layer, and we have gradually seen more relayssupporting it in the production network. Tor Browser has been built againstOpenSSL >= 3.5.0 since (at least) version 13.5.22, released in September 2025,and therefore supports Post-Quantum TLS handshakes today, but it requires thatits guard node supports it. We need to give a big shout-out to the OpenSSL Teamhere to get this out and available to the masses! <3

Since Q3 2025, I've been running some semi-regular scans of the Tor productionnetwork to check for TLS cipher suite availability. This work started as part ofthe first Tor Community Gathering back in October, 2025[1]. The results are asfollows:

In January, around 28% of the Tor relays supported the Post-Quantum TLShandshake. The scan I did yesterday showed an increase of around 4 percentagepoints to 32.32%.

Out of 9476 scanned relays, 9185 were reachable, 291 were unreachable. Of the9185 reachable relays, I saw the following distribution of cipher suites:


  `TLS13_AES_256_GCM_SHA384`: 9023 relays.
  `TLS13_CHACHA20_POLY1305_SHA256`: 158 relays.
  `TLS13_AES_128_GCM_SHA256`: 4 relays.

For the key exchange groups, I saw the following distribution:

  `secp256r1`: 6212 relays.
  `X25519MLKEM768`: 2969 relays.
  `X25519`: 4 relays.

Of the Directory Authorities, 5 of them supported the `X25519MLKEM768` keyexchange group during the TLS handshakes.

2969 / 9185 * 100 = 32.32% of relays support the `X25519MLKEM768` cipher suite.This number is a good start, but we should ideally bump it up!

You can see the individual results for your relay(s) in the big table availableat https://ahf.me/tor-tls-pqc/2026-02-26/ -- entries without a cipher suite orkey exchange group were unreachable at the time I ran the scan. These missingentries can be due to a network problem anywhere on the path between my host andyours, so don't get worried if your relay is missing :-)

The scanner I used is free software and is available as part of the NetworkHealth Team's Margot tool[2], used for various analysis purposes.

Please note that the goal here isn't to enumerate all available cipher suitesfor each relay, but instead I'm interested in the "strongest" possible ciphersuite my custom client can negotiate with each relay.

My ask for you as the relay operator community here is as follows: Next time youfolks are doing maintenance on your relay(s), please have a look at whether youcan upgrade either your packages or underlying software distribution to aversion such that you either get a new enough version of OpenSSL (>= 3.5.0), orif you are a LibreSSL user, check whether the LibreSSL project supports theML-KEM hybrid handshake, and upgrade to that version. It looks like the LibreSSLproject is currently working towards supporting the ML-KEM handshake in the nextupcoming release[3].

For Debian users, to get a new enough OpenSSL version that supports the PQC TLShandshake, you need to upgrade to (at least) Debian Trixie. For everybody else,it's best to check your respective software distribution's package managementsystem to find the version you need to upgrade to.

For Arti users, a licensing issue with the currently available crypto providersin Arti prevented enabling the ML-KEM handshake. Nick, however, has recentlybeen making progress on this matter and has a patch up that is now pendingupstream review[4]! :-)

If you are excited about exploring different aspects of the Tor ecosystem,talking with other Tor enthusiasts, and you have nothing planned for yourweekend in two weeks, I highly encourage you to look into the next Tor CommunityGathering in Denmark. The event takes place from 2026-03-13 to 2026-03-15. Formore information, check out our website at https://onionize.space/2026/


Thank you all for all the work you do to make Tor better! <3

Cheers,
Alex

[1]: https://onionize.space/2025/
[2]: https://gitlab.torproject.org/tpo/network-health/margot/

[3]:https://github.com/libressl/portable/blob/a989b7acb9a475fde656e48dbcb38289de519a1d/ChangeLog#L40

[4]: https://github.com/RustCrypto/rustls-rustcrypto/pull/143

--
Alexander Hansen Færøy

_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx

Next by Author: [tor-relays] Re: Tor Relay Operator Meetup at FOSDEM 2026
Previous by thread: [tor-relays] Happy Families migration status dashboard
Index(es):
- Author
- Thread