The WICG is incubating a specification that adds post-quantum secure and modern cryptographic algorithms to the Web Cryptography API, much like X25519 was incubated before being merged into Web Cryptography: https://wicg.github.io/webcrypto-modern-algos/
Adoption is well underway:
The specification's Adoption Guidance section recommends the following implementation priorities:
- ML-KEM (FIPS 203) — post-quantum key encapsulation mechanism. Combined with traditional key agreement it enables hybrid PQ/T key establishment as used in protocols like HPKE and its PQ and PQ/T algorithms. ML-KEM requires new
SubtleCrypto methods: encapsulateKey, encapsulateBits, decapsulateKey, and decapsulateBits.
- ML-DSA (FIPS 204) — post-quantum digital signature algorithm.
- ChaCha20-Poly1305 (RFC 8439) — widely deployed AEAD cipher used across TLS, SSH, WireGuard, HPKE.
- SHA-3 (FIPS 202) —
SHA3-256, SHA3-384, SHA3-512 hash functions.
- cSHAKE (NIST SP 800-185) —
cSHAKE128, cSHAKE256 extendable-output functions used in post-quantum constructions including ML-KEM key derivation and hybrid KEM combiners. When invoked without customization parameters, cSHAKE produces output identical to SHAKE.
- TurboSHAKE (RFC 9861) —
TurboSHAKE128, TurboSHAKE256 XOFs based on round-reduced Keccak, roughly twice as fast as SHAKE.
The specification also introduces two important new SubtleCrypto methods that benefit all algorithms (including those already in Web Crypto):
SubtleCrypto.supports(operation, algorithm) — synchronous feature detection for algorithm/operation support. This is critical for enabling progressive enhancement and graceful fallback as runtimes adopt these algorithms incrementally.SubtleCrypto.getPublicKey(key, keyUsages) — derives a public key from an asymmetric private key, simplifying key management and enabling protocols that commit the public key value to their outputs while accepting non-extractable private keys as input.
Web Platform Tests (WPTs) for the specified algorithms and operations are available.
The WICG is incubating a specification that adds post-quantum secure and modern cryptographic algorithms to the Web Cryptography API, much like X25519 was incubated before being merged into Web Cryptography: https://wicg.github.io/webcrypto-modern-algos/
Adoption is well underway:
The specification's Adoption Guidance section recommends the following implementation priorities:
SubtleCryptomethods:encapsulateKey,encapsulateBits,decapsulateKey, anddecapsulateBits.SHA3-256,SHA3-384,SHA3-512hash functions.cSHAKE128,cSHAKE256extendable-output functions used in post-quantum constructions including ML-KEM key derivation and hybrid KEM combiners. When invoked without customization parameters, cSHAKE produces output identical to SHAKE.TurboSHAKE128,TurboSHAKE256XOFs based on round-reduced Keccak, roughly twice as fast as SHAKE.The specification also introduces two important new
SubtleCryptomethods that benefit all algorithms (including those already in Web Crypto):SubtleCrypto.supports(operation, algorithm)— synchronous feature detection for algorithm/operation support. This is critical for enabling progressive enhancement and graceful fallback as runtimes adopt these algorithms incrementally.SubtleCrypto.getPublicKey(key, keyUsages)— derives a public key from an asymmetric private key, simplifying key management and enabling protocols that commit the public key value to their outputs while accepting non-extractable private keys as input.Web Platform Tests (WPTs) for the specified algorithms and operations are available.