Open-source or commercial PQC libraries: How do I choose?

There’s little doubt that open-source projects are powerful tools. The code base is often free to use, easy to access, and has been refined and built by hundreds, if not thousands of developers. From the likes of Linux and OpenSSL, all the way to tiny lightweight tools, open-source projects can include a huge variety of tools, types, and code bases. Even in the post-quantum space, there are useful projects that could easily add value to a software implementation. But what are the key considerations for organizations facing the choice between open-source and closed, commercially-licensed IP?

Implementation 

One consideration is the cost of implementation. Even the cleanest code needs to be integrated into a real-world system, and that takes engineering support. Open-source projects often lack that focus on implementation that’s required for production environments, leaving users to handle complex integration tasks themselves.

Code Quality 

Additionally, the quality of the code can often vary in an open-source project. There’s no centralized quality control, and it makes it harder to enforce coding standards and conduct quality assurance. While it could be a powerful tool, there’s no guarantee that it will seamlessly transition into a real-world environment without compromising quality.

Maintenance and Support

While there are paid support options available for open-source, there’s also a maintenance burden – open-source requires monitoring of regular updates, testing, and quality assurance. At present, PQC is still maturing, which means it’s more likely that updates will need to be made to projects, requiring more focus on tracking the latest versions and updating frequently.

Security Risks

While open source is transparent, it’s not guaranteed to be secure. Publicly available code can be targeted by malicious actors and may contain undiscovered vulnerabilities. As these weaknesses are discovered, it will require updates to customized versions of the project in the field.

Certification and Compliance

Achieving industry-specific certification might require significant customization and ongoing support for an open-source project. For example, automotive deployments will require a different level of compliance to say, defense, or Critical National Infrastructure. Compliance, both with current PQC regulations and with the standards of the future, could be difficult to achieve without investment time and resources.

What about Commercial IP Solutions?

Open-source of course has its place and can provide a powerful solution for some organizations. However, it is worth considering a commercial PQC solution, and comparing with the potential costs of using an open-source project.

Commercial solutions, such as PQShield’s PQCryptoLib and PQCryptoLib-Embedded have been developed with a strong emphasis on real-world deployment, and they offer support, maintenance, and expertise for integration in specific customer environments. As an organization, we’re focused on security, and our IP is rigorously tested and validated against security profiles, providing assurance against known and unknown vulnerabilities. This combination of cryptographic expertise and engineering ability is invaluable when it comes to integration into a production environment.

Additionally, a commercial solution like ours is far more likely to offer simplified certification and licensing, in line with industry-specific compliance efforts, and tailored for your environment. In fact, our engineers have designed our products to be highly optimizable, meaning we can customize an integration and provide an exceptional level of support and maintenance going forward.

Implementation, code quality, customization, security, support, and maintenance are all factors that could easily incur a hidden cost with an open-source project. Meanwhile, solutions like ours are designed to complement your environment, keeping your system and infrastructure safe from attack, and far more adaptable to the threats and vulnerabilities of tomorrow.

If you’d like to find out more, check out our products page.

View our video here