ICMC Recap

Foundation staff Tomáš Mráz and Amy Parker were attendees at last week’s International Cryptographic Module Conference (ICMC) and PQ Cyber Day, which brought together industry experts, government representatives, and researchers from around the globe. The timing was just right, as the final release of OpenSSL 3.5 went live during the conference and includes support for PQC algorithms ML-KEM, ML-DSA, and SLH-DSA.

PQ Cyber Day was a full-day of sessions focused on the opportunities and challenges for post-quantum computing migration. Speakers from the Canadian Centre for Cyber Security (CCCS) and the National Institute for Standards and Technology (NIST) spoke about the “Harvest Now, Decrypt Later” threat, the need for cryptographic agility, and the fact that cybersecurity is not just an IT issue but a shared responsibility that requires buy-in and investment from the top. A variety of industry speakers shared their experiences with migrating cryptographic inventories, code signing, and hardware security modules to the NIST PQC standards.

Tomáš spoke on a panel alongside colleagues from PQShield, Amazon Web Services (AWS), and Entrust. One insight he shared is that “It is a myth that PQ algorithms have to be bulky or slower, but in many cases it’s not actually true. In some cases, they can be faster, or have smaller keys. Maybe, for your use case, it could even be better than the classical algorithms." A key take-away from this panel discussion was that whether or not a quantum computer exists by 2030, 2035, or some other date, there is value in moving to PQ algorithms and building cryptographic agility right now.

Other conference highlights were our OpenSSL Corporation colleagues’ presentations on PQC in OpenSSL and the OpenSSL Roadmap. The discussions about the hybrids of post-quantum and classic algorithms were another hot topic of discussion throughout various talks. In general the view (as presented for example by John Gray) was that use of hybrids is necessary for high value applications or protection of long-lived data. Stephan Mueller and Alicja Kario were presenting about different approaches to discovering timing-based side channels in cryptographic implementations. Another topic that was very relevant to FIPS validation of the OpenSSL library was Fast-Tracking Software Validations which was presented by Simo Sorce and Alessandro Fazio.

While Tomáš has been involved with ICMC for many years, this was Amy’s first time at the conference. She reflected, “I keep thinking about the statistic that, over the next 10 years or so, an estimated 20 billion digital devices will need to be upgraded or replaced to use quantum-safe cryptography. This fact helps make real the vast challenge of PQC migration and the importance of organizations like the OpenSSL Foundation being at the forefront of these technological advances.”

The next ICMC will be held in Arlington, Virginia on 20-23 April 2026. In the meantime, you can find members of the Foundation team at the RSA Conference this May and the first-ever OpenSSL Conference in October, as well as reaching us online anytime through foundation@openssl.org.