Below is a long OSS idea list aimed at high-demand / low-supply “pure-math-ish crypto” roles (PQC migration, proofs/assurance, protocol correctness). I’m grounding the demand logic in the hard external drivers: NIST’s finalized PQC standards (FIPS 203/204/205), U.S. federal migration requirements (OMB M-23-02 + law), and NSA/CNSA 2.0 transition timelines, plus real-world hybrid TLS deployment pressure. (NIST)
Keywords you should treat as “PQC-math-demand” signals
Use these to scope issues/PRDs, scrape jobs, and name features:
Standards / algorithms
ML-KEM (Kyber), ML-DSA (Dilithium), SLH-DSA (SPHINCS+) (NIST)
CNSA 2.0, CNSS Policy 15 timelines (prefer/support/exclusive dates by system type) (U.S. Department of War)
“hybrid key exchange TLS 1.3”, “next-generation KEM”, “IND-CCA2 / FO transform” (datatracker.ietf.org)
Migration & governance
“crypto inventory”, “crypto agility”, “quantum-vulnerable systems”, “annual inventory through 2035” (The White House)
“funding estimate for migration”, “prioritized subset of systems” (The White House)
Proof / assurance language
“provable security”, “security reduction”, “parameter selection rationale”, “side-channel”, “conformance validation”
OSS opportunities (high demand vs low supply)
1) Crypto Inventory Scanner (the “SBOM for crypto”)
Replaces/assists: PQC Migration Lead + Security Architect
What it does: find every place crypto is used (libs, protocols, certs, configs, embedded firmware), output a normalized inventory (alg, key sizes, usage context).
Why demand: federal policy requires inventories and migration planning; most orgs don’t even know where RSA/ECC live. (The White House)
Keywords: crypto inventory, algorithm discovery, TLS ciphers, SSH KEX, X.509, HSM, KMS
Success metric: “% of repos/assets covered” + “false negative rate” + “time to first inventory”.
2) PQC Readiness Scorecard + Compliance Report Generator
Replaces/assists: PQC Compliance Lead / Auditor
What it does: ingest inventory + configs → generate reports mapped to OMB/CNSA timelines and internal policy.
Why demand: mandates + deadlines create reporting work; auditors want evidence. (The White House)
Keywords: M-23-02, CNSA 2.0 prefer/support/exclusive, compliance evidence
Success metric: “audit-ready packet in <1 hour”.
3) “Crypto Agility” Policy Engine (machine-checkable crypto rules)
Replaces/assists: Security Architect + Platform Security
What it does: express allowed algorithms/params per system type; enforce via CI (fail builds, block deploys).
Why demand: migration is a long tail; you need guardrails now to avoid reintroducing vulnerable crypto. (The White House)
Keywords: policy-as-code, allowed KEMs, key sizes, forbidden RSA/ECDSA in new code
Success metric: “policy violations caught pre-merge”.
4) Hybrid TLS 1.3 Interop & Test Harness
Replaces/assists: Protocol Cryptography Engineer
What it does: spin up client/server matrices across libraries; validate handshake correctness, resumption, failure modes; capture pcap + traces.
Why demand: hybrid TLS is an active standardization/deployment area; interop is painful. (datatracker.ietf.org)
Keywords: tls 1.3 hybrid, x25519+kyber, KEM groups, handshake transcript
Success metric: “known-good interop matrix across N libs”.
5) PQC Parameter Advisor (safe defaults + rationale generator)
Replaces/assists: Cryptographic Assurance Scientist
What it does: given risk profile + constraints (bandwidth, latency, hardware), recommend ML-KEM/ML-DSA levels, certificate choices, hybrid strategy, with citations to standards and explicit tradeoffs.
Why demand: parameter mistakes are common; “why this level?” becomes an audit question. (NIST)
Keywords: security level, parameter set, latency/bandwidth tradeoff, margin
Success metric: “orgs adopt defaults unchanged”.
6) Conformance Suite for NIST PQC (FIPS-aligned test vectors + fuzz)
Replaces/assists: Validation Scientist / Crypto QA
What it does: known-answer tests, negative tests, fuzzing hooks, constant-time checks where possible.
Why demand: finalized standards (FIPS 203/204/205) create immediate need for “did we implement it correctly?” (NIST)
Keywords: FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA
Success metric: “vendors ship passing results publicly”.
7) Side-Channel “Linter” for PQC Implementations
Replaces/assists: Side-channel specialist (rare)
What it does: static heuristics + dynamic probes (timing/cache patterns), flags common constant-time footguns in PQC codepaths.
Why low supply: side-channel talent is scarce; PQC introduces new tricky code patterns.
Keywords: constant-time, masking, cache timing, micro-arch leakage
Success metric: “bugs found per KLOC; CVEs prevented”.
8) Formal Proof / Model Checking Templates for Protocol Integrations
Replaces/assists: Formal Methods Engineer
What it does: reusable models (Tamarin/ProVerif-style templates) for “TLS hybrid KEX”, “KEMTLS”, “SSH hybrid KEX”, “Signal-style KEM usage”.
Why demand: people need “proof-like confidence” quickly; templates lower the bar. (datatracker.ietf.org)
Keywords: symbolic model, protocol proof, authentication, KCI, replay
Success metric: “time to first model for a new protocol < 1 day”.
9) “Crypto Diff” Tool for Config Drift (what changed, what risk)
Replaces/assists: Security Reviewer
What it does: diff TLS/SSH/KMS/HSM configs across fleets; highlight downgraded algorithms and key sizes.
Why demand: migration takes years; drift reintroduces risk while teams change.
Keywords: cipher suite diff, KEX group diff, key size diff
Success metric: “downgrade incidents reduced”.
10) PQC PKI Migration Toolkit (cert profiles, chain strategies, rollout playbooks)
Replaces/assists: PKI Engineer + Assurance
What it does: generate profiles/policies for PQC signatures, hybrid strategies, compatibility matrices, staged rollout tooling.
Why demand: cert ecosystems are brittle; migration is hard and expensive; CNSA timelines explicitly cover systems classes. (U.S. Department of War)
Keywords: X.509, certificate profile, root/intermediate rotation, hybrid certs
Success metric: “successful staged rollouts without outages”.
11) Code Signing PQC Readiness Suite
Replaces/assists: Platform Security / Release Engineering
What it does: detect signing algorithms, verify pipeline integrity, add PQC/hybrid signing options, produce attestations.
Why demand: CNSA 2.0 and federal migration timelines include software/firmware considerations. (U.S. Department of War)
Keywords: code signing, firmware signing, signature algorithm transition
Success metric: “% builds with PQC-ready signing path”.
12) KMS/HSM Capability Mapper
Replaces/assists: Crypto Platform PM / Architect
What it does: auto-detect what AWS/GCP/Azure KMS or major HSMs support; provide migration guidance and risk notes.
Why demand: many orgs are blocked on “does our HSM/KMS support PQC yet?”—information is fragmented.
Keywords: HSM, KMS, key encapsulation, signing support matrix
Success metric: “reduces migration planning time”.
13) “PQC in the Browser/Edge” Experiment Kit
Replaces/assists: Security Researcher / SRE for TLS
What it does: reproducible testbed for PQ/hybrid TLS endpoints, client behaviors, performance, failure analysis.
Why demand: hybrid internet deployments are real; edge behavior matters for outages. (The Cloudflare Blog)
Keywords: hybrid TLS deployment, handshake failures, enterprise interception
Success metric: “MTTR for hybrid TLS incidents”.
14) Threat-Model Wizard for PQC Decisions (structured, exportable)
Replaces/assists: Security Architect
What it does: asks structured questions (data lifetime, adversary, protocols) → outputs a threat model + required properties (KEM IND-CCA, reuse safety, etc.).
Why demand: pure crypto decisions depend on threat model; most orgs don’t have one written down. (datatracker.ietf.org)
Keywords: threat model, quantum adversary, long-term confidentiality
Success metric: “adopted in security review templates”.
15) “Migration Cost Estimator” (inventory → labor/capex estimates)
Replaces/assists: Program Manager + Security Lead
What it does: from inventory + system criticality, estimate engineering time, vendor dependency, validation scope; aligns with “funding estimate” asks. (The White House)
Keywords: migration estimate, prioritization, critical systems
Success metric: “budget variance decreases”.
16) PQC Interop Registry (public, vendor-neutral)
Replaces/assists: Standards/Interop specialist
What it does: a community-run registry of “works with” results: library versions, ciphersuites/groups, known issues.
Why demand: interop is a shared pain; each org repeats the same testing. (datatracker.ietf.org)
Keywords: interop matrix, known issues, regression watch
Success metric: “# of vendors publishing results”.
17) “Crypto Use-Case Pattern Library” (safe recipes, not primitives)
Replaces/assists: Applied Cryptographer
What it does: opinionated, audited patterns: secure envelope encryption w/ KEM, secure session establishment, hybrid strategies, key rotation patterns.
Why demand: most failures are from misuse, not broken primitives; standards being finalized increases integration work. (NIST)
Keywords: misuse-resistant, KEM-based envelope, hybrid composition
Success metric: “reduces bespoke crypto code”.
18) “Audit Evidence Pack” Generator (reproducible proofs-of-correctness)
Replaces/assists: Security proof reviewer (rare)
What it does: bundles test results, config snapshots, conformance suite outputs, parameter rationale, and threat model into an immutable artifact.
Why demand: auditors want repeatable evidence; policy requires inventories and planning; CNSA adds timelines. (The White House)
Keywords: audit evidence, attestation, reproducibility
Success metric: “audit time cut by X%”.
Which segments are most “high demand / low supply”
If you want to prioritize for OSS impact, the best targets are where a few experts currently gate progress:
Crypto inventory + compliance reporting (massive demand, almost no good tooling) (The White House)
Interop + conformance + regression suites for PQC/hybrid TLS (painful, repeated everywhere) (datatracker.ietf.org)
Side-channel + validation tooling (expert-scarce, high risk)
PKI + code signing migration (brittle systems; few specialists) (U.S. Department of War)