Important News:SafeLogic Announces CryptoComply v3.5 with OpenSSL 3.5 Compatiblity, PQC and Improved Performance! Read the announcement.
May 29, 2025 •Evgeny Gervis
SafeLogic today announced the immediate availability of a new version of its flagship cryptographic software, CryptoComply. A drop-in replacement for OpenSSL 3.5, CryptoComply v3.5 includes all NIST-standardized post-quantum cryptography (PQC) algorithms, enables hybrid mode that combines PQC with FIPS-certified classical cryptography, provides support for server-side QUIC, improves performance, and optionally works with SafeLogic’s NIST ESV-certified entropy source.
OpenSSL 3.5 Compatibility
Many in the cryptography industry have eagerly awaited the significant performance improvements OpenSSL has delivered in OpenSSL Library 3.5. Published benchmarks show as much as 88% better performance for specific operations over OpenSSL 3.0. CryptoComply v3.5 is binary compatible with OpenSSL 3.5 and benefits from those performance optimizations.
Post-Quantum Cryptography
NIST has been working to identify and standardize cryptographic algorithms that will not be susceptible to quantum computer attacks since 2017. In August 2024, it standardized a first set of post-quantum cryptography (PQC) algorithms. CryptoComply v3.5 includes support for all three of these NIST-standard PQC algorithms:
- ML-KEM (FIPS 203), short for Module-Lattice Key Encapsulations Mechanism, enables parties to establish shared secrets, like symmetric encryption keys, over insecure networks in the presence of both quantum and classical computers. It was designed to be used in TLS/SSL, VPNs, encrypted messaging apps, and government or military communications
- ML-DSA (FIPS 204), which stands for Module-Lattice Digital Signature Algorithm, is a digital signature scheme for verifying identity, integrity, or authenticity that is secure against both classical and quantum computers. It is designed to deliver fast signature generation and verification, as well as reasonable key and signature sizes for a PQC algorithm. Typical use cases for ML-DSA include secure software updates, certificate signing, email, and document signing, and applications requiring authenticated and tamper-proof digital communication
- SLH-DSA (FIPS 205), which stands for Stateless Hash-Based Digital Signature Algorithm, is also a quantum-resistant digital signature scheme. It employs proven and secure hashing that is not vulnerable to quantum computer attacks. Also since it is stateless, it simplifies implementation. SLH-DSA features relatively small public keys (albeit with relatively large signatures), which can make it a better option than ML-DSA for certain use cases.
CAVP and CMVP certification for these PQC algorithms are forthcoming.
Hybrid PQC/FIPS-Validated Mode
Some organizations subject to FIPS 140 also need PQC because they have sensitive data with long-term value at risk to Harvest Now, Decrypt Later (HNDL) attacks. However, no PQC algorithms have yet received FIPS 140 certification. CryptoComply v3.5 supports hybrid mode key exchange by combining SafeLogic’s FIPS 140-3 validated algorithms used in CryptoComply v3 (CMVP FIPS 140-3 certificate #4781) with ML-KEM. This enables organizations to achieve quantum resistance today while maintaining FIPS compliance.
QUIC Support
QUIC (which originally was an acronym for Quick UDP Internet Connections) is a modern transport layer network protocol originally developed by Google and subsequently standardized by the IETF. It provides faster connection setup than traditional HTTPS because it is built on UDP and supports multiplexing. It is more secure as all messages are always encrypted using TLS 1.3, and it is better for mobile devices as it allows connections to migrate when networks change. Major browsers including Chrome, Firefox, Safari, and Edge now support QUIC, as well as major platforms including Google, Facebook, Cloudflare, and Akamai. CryptoComply v3.5 provides full server-side QUIC support so developers can build QUIC applications that work with QUIC-enabled clients and systems.
CryptoComply Entropy Provider
CryptoComply v3.5 can optionally use SafeLogic’s new ESV-certified entropy source. NIAP is already requiring ESV-certified entropy sources for new Common Criteria submissions that employ cryptography. NIST will require an ESV-certified entropy source for new FIPS 140-3 submissions January 1, 202626.
Availability and Support
CryptoComply v3.5 runs on desktops, servers, mobile devices, embedded/IoT, cloud/containers, and network appliances. CryptoComply for Server v3.5 and CryptoComply for Mobile v3.5 binaries for Windows, MacOS, Linux, Unix, Android, iOS, and other operating systems, are available today from SafeLogic upon request.
All are fully supported by SafeLogic’s proven, enterprise-class, commercial-grade product support team.
For More Information
For more information on this new version, contact your existing SafeLogic representative or email sales@safelogic.com.
About SafeLogic
Founded in 2012, SafeLogic is a premier provider of cryptographic solutions that enable enduring privacy and trust in the ever-changing digital world. SafeLogic's CryptoComply FIPS 140 validated cryptographic software supports a broad range of platforms, programming languages, and operating environments. With its FIPS Validation-as-a-Service offering, SafeLogic expedites the delivery of FIPS 140 certificates for its CryptoComplycustomers. It then keeps those certificates active over time via a unique white-glove managed service that provides both software support and certification maintenance. CryptoComply is also the basis for SafeLogic's post-quantum cryptography (PQC) capabilities, which include PQC algorithms, PQ TLS support, discovery, crypto-agility, and hybrid deployments. Its newest product, CryptoComply Entropy Provider, is an ESV-certified, standalone software entropy source.
