Recommendation: The BSI recommends Botan 3.6.1 or Botan 3.7.1-RSCS1 for usage in security-sensitive applications.

Background

Cryptographic libraries are often used as core components in security applications. They are of central importance for security. However, the development of a cryptographic library is very demanding and prone to errors - regarding both the selection of suitable algorithms and their implementation. Serious problems have repeatedly occurred with widespread cryptographic libraries (e.g. OpenSSL) and these can significantly impair the security of the applications based on them.

The BSI carried out the "Secure implementation of a general cryptographic library" project with the contractor Rohde & Schwarz Cybersecurity GmbH. The aim of the project was to provide an open-source, secure, clear, controllable and well-documented cryptographic library that is suitable for as many application scenarios as possible and can also be used in applications with increased security requirements.

For this purpose, based on an analysis of existing open source cryptographic libraries, the Botan library was selected as a suitable basis for further development. As part of this project, Botan’s cryptographic implementation was examined more thoroughly and existing deficiencies were corrected.

Missing cryptographic primitives and standards were implemented in accordance with the BSI's technical guidelines.

The test suite and resistance to side-channel attacks were improved by suitable software countermeasures and the documentation was consequently expanded. The project ended in 2017 and was completed with the release of Botan version 2.4.0-RSCS1 on github.

Botan is available under the Simplified BSD License and can therefore be used for both open and commercial applications.

Project summary Sichere Implementierung einer allgemeinen Kryptobibliothek - Projektzusammenfassung

Botan 3.x and post-quantum cryptography

The follow-up project "Maintenance and further development of the Botan cryptographic library" was started together with the contractor Rohde & Schwarz Cybersecurity GmbH at the beginning of 2022 and concluded in March 2025. Over the course of the first year of the project, the current development version of Botan (the master branch on GitHub) was subjected to the established analysis and testing process, and any defects discovered were corrected. The results have already been merged into the open-source project. Further, post-quantum schemes as well as a hybrid key exchange for TLS 1.3 were implemented.

The latest version of Botan that has been reviewed as part of this project is Botan 3.7.1-RSCS1, available on Rohde & Schwarz Cybersecurity‘s GitHub repository. This release contains all post-quantum schemes recommended by BSI in TR-02102: the key encapsulation mechanisms FrodoKEM, Classic McEliece and ML-KEM, as well as the post- quantum signature schemes ML-
DSA, SLH-DSA as well as XMSS and HSS/LMS.

The previous version Botan 3.6.1 can also be used. Note, however, that it does not yet contain an implementation of Classic McEliece. Usage of Botan 3.7.1 (without the label RSCS1) is not recommended. The difference between Botan 3.7.1 and Botan 3.7.1-RSCS1 lies solely in the implementation of the ECDH key agreement scheme which is not standard compliant in Botan 3.7.1 (see corresponding pull request on GitHub).