Updates

Rust VPN Qeli adds hybrid post-quantum key exchange in 0.7.x line

Qeli’s 0.7.x line now ships a hybrid X25519 plus ML-KEM-768 handshake, trading a bigger packet for a VPN session that can survive the post-quantum transition.

Nina Kowalski··1 min read
Published
Listen to this article0:00 min
Rust VPN Qeli adds hybrid post-quantum key exchange in 0.7.x line
Photo illustration

Alexandr Litvinov put a real Rust VPN on the post-quantum map on June 18, when he described Qeli’s 0.7.x line as using a hybrid X25519 plus ML-KEM-768 key exchange. Qeli is a self-hosted VPN, and its core and server are written in Rust, so the change lands as a shipping product decision, not a lab demo. The Rust implementation is the single source of truth for the post-quantum core, while C# and Kotlin clients call into it over FFI and JNI so they all speak the same wire format.

The design is deliberately hybrid rather than pure post-quantum. Qeli combines classical X25519 with ML-KEM-768, then mixes the two shared secrets through HKDF-SHA256 to derive session keys. That choice targets the harvest-now, decrypt-later threat model: if one primitive holds, the session still has a chance to survive. The rest of the stack uses ChaCha20-Poly1305 on the data plane and Argon2id for password-derived secrets.

AI-generated illustration
AI-generated illustration

NIST approved FIPS 203 for post-quantum cryptography on August 13, 2024, and the standard defines ML-KEM as a key-encapsulation mechanism with three parameter sets: ML-KEM-512, ML-KEM-768, and ML-KEM-1024. NIST’s documentation describes ML-KEM as believed secure even against adversaries who possess a quantum computer. On the transport side, an IETF draft published in September 2024 defined hybrid TLS 1.3 key agreements including X25519MLKEM768, and a May 2026 update expanded that set to X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024.

Litvinov said the handshake was a breaking change for older clients, the packet size grew because ML-KEM-768 is far larger than X25519, and versioning should have been planned earlier. ML-KEM-768 public keys are about 1.2 KB versus 32 bytes for X25519. Qeli has full TUN support, custom REALITY-style masking, and PQ-hybrid X25519MLKEM768 support.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More Rust Programming News