ISARA Catalyst™ Connector 2.1 for OpenSSL

This package is version 2.1 of the ISARA Catalyst Connector.


  • A set of patch files to be applied to the appropriate version of the OpenSSL source

  • The ISARA Radiate™ toolkit library binary

  • The ISARA Catalyst Connector Engine, built using OpenSSL and the ISARA Radiate toolkit

  • The source code for several demo applications that demonstrate how to use the ISARA Catalyst Connector

  • A quantum-safe crypto algorithm demo script and the expected output

  • A quantum-safe TLS client-server communication demo script and the expected output

The ISARA Catalyst Connector is organized into several files and directories:

  • README.html — This file

  • ISARA-Catalyst-Connector-for-OpenSSL-Guide.html — ISARA Catalyst Connector for OpenSSL User’s Guide

  • ISARA-Catalyst-Connector-MPKAC-Tutorial.html — ISARA Catalyst Connector for OpenSSL Quantum-Safe Catalyst Certificate Tutorial

  • ISARA_OIDs.html — ISARA Cryptographic Object Identifiers Document

  • <OPENSSL_VERSION>_ISARA.patch — Patch to apply against OpenSSL where <OPENSSL_VERSION> is one of the following:

    • OpenSSL-1.1.1k

  • lib/ — ISARA Radiate toolkit library (on Linux)

  • lib/libiqr_toolkit.dylib — ISARA Radiate toolkit library (on macOS)

  • lib/ — ISARA Catalyst Connector engine (on Linux and macOS)

  • lib/libiqr_toolkit.dll — ISARA Radiate toolkit library (on Windows)

  • lib/<OPENSSL_VERSION>/libiqre_engine.dll — ISARA Catalyst Connector engine (on Windows)

  • demos/ — Demonstration source code showing some of the new features

  • crypto_demo_script.txt — Script used to demonstrate using OpenSSL with our quantum-safe crypto algorithms

  • crypto_demo_script_expected_output.txt — Expected output of the crypto_demo_script.txt

  • tls12_demo_script.txt — Script used to demonstrate OpenSSL client-server TLS 1.2 secure handshakes and message communications using ISARA quantum-safe cipher suites

  • tls12_demo_script_expected_output.txt — Expected output of the tls12_demo_script.txt

  • dtls12_demo_script.txt — Script used to demonstrate OpenSSL client-server DTLS 1.2 secure handshakes and message communications using ISARA quantum-safe cipher suites

  • dtls12_demo_script_expected_output.txt — Expected output of the dtls12_demo_script.txt

  • crypto_demo_data/ — Configuration and output files for the crypto_demo_script.txt

  • tls_demo_data/ — Configuration and output files for tls12_demo_script.txt and dtls12_demo_script.txt scripts

  • images/ — Image files that are referenced by the documents above

Getting Help

The latest version of ISARA Catalyst documentation is available on ISARA’s website:

For more details and requirements, refer to the ISARA Catalyst Connector 2.1 for OpenSSL Developer’s Guide.

System Requirements

  • 64-bit macOS 10.14 or newer

  • 64-bit Ubuntu 18.04 or newer

  • 64-bit Windows 10 or newer

  • Android 7.0 (Nougat) or newer (API level 24 or higher)

Change Log

Changes Since 2.0

  • Upgrade support from OpenSSL version 1.0.2t and 1.0.2u to 1.1.1k.

  • Add Saber, a lattice-based key encapsulation mechanism.

  • Add 2E15 signing operations option for HSS.

  • Add lower security variants of Dilithium (Dilithium_II_SHAKE_r2), FrodoKEM (FrodoKEM_640_AES_r2 and FrodoKEM_640_SHAKE_r2), Kyber (KYBER_512_r2), SIDH (SIDH_P434_r2), and SIKE (SIKE_P434_r2). These are suitable for situations when lower processing time is more important than higher security.

  • Add a medium security variant to SIDH (SIDH_P610_r2), and SIKE (SIKE_P610_r2).

  • Remove HSS 2E25 signing operations option for HSS.

  • Add new DTLS demo application, scripts and expected output.

  • Rename applications to reflect that they extend by putting alternative components into cryptographic artifacts (From QS to Alt).

  • Add Catalyst CRL support with new documentation, APIs, and crlAltExtend and crlAltVerify applications

  • Use OpenSSL’s optimized SHA implementations in quantum-safe algorithms; noticable difference in performance

  • Move the ISARA quantum-safe ciphersuites to the lowest priority

  • Remove quantum-safe key exchange parameter set and get APIs for TLS connections; OpenSSL 1.1.1 introduced generic APIs for configuring groups.

  • Implement new logic around authentication algorithm selection based on presence or absesnce of peer’s Catalyst TLS extension.

  • Add triple hybrid key exchange ciphersuites

  • Change x509AltDirectExtend’s `-privalt to -privaltin and -privaltout

  • BUGFIX: `cmsQSExtend’s -noattr is no longer being ignored.

Changes Since 1.4

  • Upgrade support from OpenSSL version 1.0.2m and 1.0.2n to 1.0.2t and 1.0.2u

  • Add Microsoft Windows support

  • Remove the following algorithms:

  • Lattice-based Unique Key Exchange (LUKE), an ISARA Proprietary Algorithm

  • Remove Leighton-Micali Signature Scheme

  • Remove McEliece with Quasi-Cyclic Moderate Density Parity-Check Code KEM

  • Convert New Hope Family into NewHope Diffie-Hellman Key Exchange

  • Add the following algorithms:

  • Frodo Diffie-Hellman Key Exchange

  • Samwise Key Exchange

  • Classic McEliece KEM

  • Frodo KEM


  • eXtended Merkle Signature Scheme

  • eXtended Merkle Signature Scheme - Multi-Tree

  • Hierarchical Signature Scheme

  • SPHINCS+ Signature Scheme

  • Rename old and implement new NIST PQC algorithm variants

  • Introduce OTS state files which replace OTS indexes

  • Implement strategy options for managing the OTS state

  • Add support for intrinsic signing

  • Implement support for dual private keys

  • Change alternative X509 certificate chain verification to verify the self-signed root certificate’s signature by default

  • Implement new ciphersuites that use quantum-safe algorithms

  • Implement quantum-safe key exchange parameter set and get APIs for TLS connections

  • Implement the Catalyst TLS extension to signal awareness and support of catalyst certificates

  • Enable strict mode by default during TLS connections

  • Implement cmsQSExtend application for extending CMS messages by adding Catalyst Attributes

  • Implement cmsQSVerify application for verifying the extended CMS messages

  • Implement pkcs12QSExtend applications for extending PKCS12 by adding the alternative private key

  • Implement TLS 1.2 server and client demonstration applications along with example scripts showing execution and expected output and generated artifacts

  • BUGFIX: When adding our Catalyst extensions, ensure we set certificate version to 3 (0x2)

Changes Since 1.3

  • Upgrade support from OpenSSL version 1.0.2k and 1.0.2l to 1.0.2m and 1.0.2n

  • BUGFIX: x509QSExtend gracefully handles when input and output are the same file

The ISARA Catalyst™ Connector Binaries are licensed for use:

Copyright © 2017-2021, ISARA Corporation, All Rights Reserved.

The code and other content set out herein is not in the public domain, is considered a trade secret and is confidential to ISARA Corporation. Use, reproduction or distribution, in whole or in part, of such code or other content is strictly prohibited except by express written permission of ISARA Corporation. Please contact ISARA Corporation at for more information.


ISARA Catalyst™ and ISARA Radiate™ are trademarks of ISARA Corporation.

Patent Information