My week at ICMC 2025 with the OpenSSL Foundation: Faces, PQC, and Real-World Challenges

May 21, 2025

Nicola Tuveri is a long-term contributor to OpenSSL and a member of both the Foundation’s Business Advisory Committee and Technical Advisory Committee. The Foundation sponsored his attendance at ICMC 2025 and here are his reflections on the experience.

Early last month, I had the pleasure of attending the International Cryptographic Module Conference (ICMC) in Toronto. As an attendee, my mission was simple: reconnect, listen, and learn. And ICMC delivered on all fronts.

“Advancing secure infrastructure demands both technical expertise and clear community direction.” — OpenSSL Corporation, ICMC 2025 Reflections

This sentiment resonated deeply with me. It captured much of what I experienced in Toronto and underscored the moment we’re in.

Meeting the Team in Person

One of the highlights was finally reconnecting, in person, with individuals involved in the OpenSSL Project—representatives from both the Foundation and the Corporation. It’s always energizing to move beyond GitHub handles, emails, and oddly timed conference calls. Conversations in the hallway, during panels and over meals reinforced the importance of shared direction and coordination in advancing the OpenSSL Mission and the Project’s long-term goals.

The Timing of OpenSSL 3.5’s Launch

The conference coincided with the release of OpenSSL 3.5, which introduced support for post-quantum cryptography (PQC). Witnessing this announcement live added symbolic weight to the week. With support for ML-KEM, ML-DSA, and SLH-DSA in alignment with the current state of NIST’s standardization, and enabling hybrid ML-KEM in TLS v1.3 the release marks a major step forward for those preparing for the PQC era.

Center Stage: HSMs and the PQC Transition

The dominant topic at ICMC this year was undoubtedly PQC—and in particular, its intersection with hardware. A recurring and critical theme was: How will hardware security modules (HSMs) and their users navigate the PQC transition? From vendor showcases to user discussions, the emphasis was on real-world deployment: ensuring interoperability, performance, and assurance under new cryptographic assumptions.

Hearing directly from manufacturers, integrators, and certification bodies helped ground the discussions in practical needs and highlighted areas where continued coordination is essential.

Representing QUBIP: Frameworks for a Practical Transition

My presence at ICMC 2025 was also part of my involvement in QUBIP—a Horizon Europe project focused on enabling a structured, replicable transition to post-quantum cryptography across real-world digital infrastructure. QUBIP addresses various building blocks over five interconnected layers: hardware, cryptographic libraries, operating systems, protocols, and applications. These are validated through three pilot demonstrators targeting distinct sectors: IoT manufacturing, internet browsing, and telco-operators networks.

The conference offered a valuable opportunity to compare QUBIP’s approach with the broader cryptographic ecosystem—particularly around topics like HSM integration, certification readiness, and deployment workflows. These were recurring concerns in ICMC sessions and informal discussions alike.

One of the outcomes of QUBIP is Aurora, an OpenSSL 3.x provider designed to support hybrid and post-quantum cryptographic primitives. Aurora serves as a modular framework for exploring integration strategies, performance trade-offs, and deployment patterns—aligned with the real-world use cases QUBIP aims to test and demonstrate.

Hearing directly from vendors, auditors, and users at ICMC helped affirm that efforts like QUBIP and Aurora are well-positioned to address practical concerns and support the transition from experimental adoption to operational readiness.

In Summary

ICMC 2025 was a timely and meaningful gathering—technically, socially, and strategically. It offered a clear snapshot of where we are in the PQC transition and how much coordination is still needed, especially when it comes to integration with hardware modules and established infrastructure.

I’m sincerely grateful to the OpenSSL Foundation for sponsoring my participation. It was a valuable opportunity to connect with individuals involved in the OpenSSL Project and with stakeholders from across the cryptographic landscape, and to contribute to the ongoing dialogue shaping our post-quantum future.