Lord Llandaff Cyber Security

    Quantum Tools: Hybrid Quantum-Enabled NGINX server

    In today’s evolving security landscape, preparing for the post-quantum era is no longer optional — it’s essential. With the publication of FIPS 203, 204, and 205, organizations now have a clear path to begin deploying post-quantum cryptographic (PQC) standards.

    I wanted to take this challenge head-on by building a “production-ready” (deployment-ready) NGINX container image that not only supports classical TLS but also enables hybrid classical + post-quantum key exchanges and signatures.

    Here’s how I approached it.

    Step 1: The Build Foundation

    I started by creating a custom Dockerfile that layers:

    • Base Ubuntu image – lightweight but production-ready.
    • FIPS-compliant OpenSSL (OQS-OpenSSL3 fork) – adds PQC algorithms.
    • NGINX compiled against OQS-OpenSSL3 – ensures TLS handshakes can use PQC.
    • Security hardening – stripping, non-root execution, locked-down configs.
    post-quantum-tls-Image of Dockerfile Base


    The goal was to produce a self-contained FIPS 203/204/205 ready container, deployable without extra configuration headaches.

    Step 2: The Cryptography

    The container supports the three NIST-selected PQC algorithms alongside classical algorithms:

    StandardAlgorithmRole
    FIPS 203ML-KEM (Kyber)Key Encapsulation (TLS handshake, hybrid with X25519)
    FIPS 204ML-DSA (Dilithium)Digital Signatures (server certs, message signing)
    FIPS 205SLH-DSA (SPHINCS+)Stateless Hash-Based Signatures (fallback, long-term resilience)

    I set up hybrid TLS flows so the handshake includes both a classical algorithm (RSA/ECDSA/X25519) and a PQC algorithm, ensuring security even if either side is later compromised.

    Step 3: Containerized Web Security

    The result is a Docker container that:

    • Exposes NGINX with PQC-enabled TLS
    • Accepts hybrid key exchange: X25519 + ML-KEM (Kyber)
    • Supports dual-signatures: RSA/ECDSA + Dilithium/SPHINCS+
    • Is FIPS 140-3 forward-prepared by design

    Security Flow Table

    FlowClassical-OnlyPQC-OnlyHybrid
    TLS HandshakeRSA/ECDSA + X25519ML-KEM (Kyber)X25519 + ML-KEM
    SignaturesRSA/ECDSADilithium / SPHINCS+Dual
    ComplianceFIPS 140-3FIPS 203–205Forward-prepared

    Why This Matters

    • Future-proofing: Organizations can start testing PQC without abandoning existing TLS stacks.
    • Deployment-ready: An experiment — hardened, reproducible, and deployable today “Deployment-ready for experimentation and early adoption.”
    • Compliance-first: Aligned with the NIST FIPS roadmap (203/204/205).

    This project was about more than compiling NGINX — it was about proving that hybrid post-quantum security can be deployed for testing today. The future of secure web infrastructure lies in containers that make PQC effortless — and this experiment was my first step in that direction.

    , , , , , , , , , , ,

    Leave a comment

    From the blog

    About the author

    Dean Jay Mathew is an educator and researcher passionate about cyber security, with a focus on building and running FIPS 203/204/205 compliance tests via hybrid classical/post-quantum cryptography powered by ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+), providing robust preparation to future-proof data protection for organizations transitioning to post-quantum security.

    Get updates

    Spam-free subscription, we guarantee. This is just a friendly ping when we have news.