break current public-key cryptography (RSA, ECC), enabling "Harvest now, Decrypt later" attacks on long-term confidential data. PQC is the Solution Post-Quantum Cryptography (PQC) algorithms are emerging as quantum-resistant solutions. Java is Adapting Has natively supported ML-KEM and ML-DSA since Java 24. However, it has not supported JSSE/TLS yet. Sooner action Can avoid last-minute panic. Crypto-agility Helps you make migration easy and crypto pluggable.
against quantum attacks. Based on math problems that quantum computers (as far as we know) cannot solve efficiently lattice problems hash-based structures error-correcting codes, etc. No quantum hardware is needed. These algorithms run on classical computers.
Cryptography | CSRC ML-KEM (FIPS 203) Module Lattice based Key Encapsulation Mechanism Key establishment, based on CRYSTALS-Kyber ML-DSA (FIPS 204) Module Lattice based Digital Signature Algorithm For digital signatures, based on CRYSTALS-Dilithium SLH-DSA (FIPS 205) StateLess Hash-based Digital Signature Algorithm for stateless hash-based signatures (SPHINCS+)
by Craig Gidney and Martin Ekerå How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits – Quantum Estimated in 2019 20M Reestimated in 2025 1M Research by Google’s Quantum AI team (Craig Gidney) [2505.15917] How to factor 2048 bit RSA integers with less than a million noisy qubits
5% ~65% of organisations are concerned about HNDL attacks 2025_07_10_Capgemini_Post-Quantum-Cryptography- Report_News-Alert.pdf 69% of organisations believe quantum computing will break encryption within 5 years Quantum Readiness Gap: A DigiCert Study On Quantum- Safe Encryption yet only ~5% have started implementing PQC solutions. Just 5% of Enterprises Have Deployed Quantum-Safe Encryption - Infosecurity Magazine
2030 2035 2028 2029 2031 2032 2033 2034 2027 2030 2035 2028 2029 2031 2032 2033 2034 By December 31, 2030 all equipment and services that cannot support CNSA 2.0 must be phased out unless otherwise noted. By January 1, 2027 all new acquisitions for NSS will be required to be CNSA 2.0 compliant unless otherwise noted. Complete migration for all national security systems by 2035. By December 31, 2031 CNSA 2.0 algorithms are mandated for use unless otherwise noted.
PQC 2030 – Deadline for phasing out non-PQC-compliant equipment 2035 – Full transition of national security systems NSA's CNSA 2.0 Guidance (National Security Memorandum NSM-10) • NSA's CNSA 2.0 Guidelines (NSM 10) • $7.1 billion budget estimate EU 2030 – Completion of PQC migration in government agencies and critical infrastructure 2035 – Full transition (where feasible) • European Commission Recommendation (April 2024) • EU Roadmap (June 2025) • Cross-Member State research budget (e.g.; Horizon Europe) UK ~2034 – Full transition target (estimated) • Timelines for migration to post-quantum cryptography (March 2025) JP 2030s – Target for completion of transition (provisional) • Ministry of Internal Affairs and Communications Report (2021) AU By 2030 – Ensure quantum resistance for confidential data • Australian Signals Directorate (ASD) Recommendation (2022)
compatibility issues (e.g., historical migrations from SHA-1 to SHA-256, TLS 1.2 to 1.3). [2408.05997v4] On the Formalization of Cryptographic Migration Cryptographic migration takes a long time ... For example, it took many organisations over five years to migrate from the vulnerable primitive SHA-1 to its secure successor SHA- 256, even after the necessary specifications and implementations were available. – The PQC Migration Handbook
in AWS KMS, ACM, and Secrets Manager Amazon CloudFront launches TLS security policy with post-quantum support AWS Private CA now supports post-quantum digital certificates Google Cloud Announcing quantum-safe digital signatures in Cloud KMS Microsoft Azure Quantum-safe security: Progress towards next-generation cryptography Cloudflare X25519+ML-KEM-768 hybrid key exchange in production (opt-in) Cloudflare Radar Akamai Post-Quantum Cryptography Implementation Considerations in TLS [Note] • Other major providers (IBM, Alibaba, etc.) are also experimenting with PQC in their offerings.
browsers now default to hybrid post-quantum TLS. By late 2025, all leading browsers and TLS libraries have X25519+Kyber-768 enabled by default. Chrome 131+/Firefox 132+/Safari 26+ Over 50% of Cloudflare’s traffic uses PQC encryption. State of the post-quantum Internet in 2025
Java PQC Timeline A timeline of Java (JDK) releases and their post-quantum crypto features: JEP 452: KEM (Key Encapsulation Mechanism) API – groundwork for KEMs JEP 496: ML-KEM (Kyber-based KEM) JEP 497: ML-DSA (Dilithium-based signatures) JEP 510: Extended KDF API (Key Derivation Functions) for hybrid protocols # No PQC algorithms included (APIs only) # Default JSSE does not cover PQC in TLS yet. Java 21 Sep 2023 Java 24 Mar 2025 Java 25 Sep 2025 # Default JSSE will cover these algorithms in TLS.
ML-KEM-768 as the default KeyPairGenerator g = KeyPairGenerator.getInstance("ML-KEM"); KeyPair kp = g.generateKeyPair(); // Encapsulate a secret to the public key (sender side) KEM kem = KEM.getInstance("ML-KEM"); KEM.Encapsulator encap = kem.newEncapsulator(kp.getPublic()); KEM.Encapsulated capsule = encap.encapsulate(); // Agreed secret key and send these bytes to other party SecretKey sharedSecret = capsule.key(); byte[] encapsulatedBytes = capsule.encapsulation(); // Decapsulate on the other side using private key (receiver side) KEM.Decapsulator decap = kem.newDecapsulator(kp.getPrivate()); SecretKey sharedSecret2 = decap.decapsulate(encapsulatedBytes);
JDK. BC 1.79 and later implement ML-KEM, ML-DSA, as well as SLH-DSA (SPHINCS+), HQC, and Falcon. Can use all NIST finalists (and some alternates) on Java 8, 11, 17, etc., via Bouncy Castle. Integration via JCA Provider To use BC’s PQC, register the provider and request algorithms by name and provider: import java.security.Security; import org.bouncycastle.jce.provider.BouncyCastleProvider; Security.addProvider(new BouncyCastleProvider()); .// KeyPairGenerator kpg = KeyPairGenerator.getInstance("ML-DSA", "BC");
Exchange for TLS 1.3 (will be introduced after RFC is issued.) • The more algorithms NIST standardizes, the more will be added to future Java versions. • Current default JSSE doesn’t cover PQC in TLS (but we can customize JSSE). Java Secure Socket Extension (JSSE) Reference Guide • ML-KEM and ML-DSA are available in JDK 24/25 APIs.
better. Pros Cons Classic Long security verification history. Vulnerability to quantum computers is a concern. PQC No efficient solution using quantum computers. Short security verification history. (a risk to be broken) ECDHE-MLKEM in TLS 1.3 is already implemented on browsers, CDN, TLS libraries. - Chrome 131+/Firefox 132+/Safari 26+ draft-ietf-tls-ecdhe-mlkem-01 - Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3 draft-ietf-tls-hybrid-design-16 - Hybrid key exchange in TLS 1.3 JEP 527: Post-Quantum Hybrid Key Exchange for TLS 1.3
ML-KEM draft-ietf-tls-hybrid-design-16 - Hybrid key exchange in TLS 1.3 Generate (EC)DHE key pair Send ClientHello 1. Decide key algorithm 2. Generate (EC)DHE keypair Derive shared_secret_x with (EC)DHE Derive handshake_secret from shared_secret by HKDF shared_secret_x =ECDH(PK_c, SK_s) handkshake_secret =HKDF(shared_secret ...) Public key (PK_c) Private key (SK_c) Public key (PK_s) Private key (SK_s) Generate (PQ)KEM key pair Encapsulation key (EK) Decapsulation key (DK) 1. Generate shared_secret_y 2. Encapsulate the secret with EK Enc=Encap(EK, shared_secret_y) Concatenate shared_secret=shared_secret_x || shared_secret_y ClientHello - key_share (includes PK_c, EK) - signature algorithms - psk_key_exchange_modes - pre_shared_key [Note] In the key_share extension of ClientHello, a new public key and the encapsulation key (EK) are sent at the same time. The server performs 1. ECDH key exchange to derive shared_secret_x 2. Encapsulates the randomly generated key shared_secret_y 3. Combines shared_secret_x and shared_secret_y to derive shared_secret 4. Generates handshake_secret using the HMAC Key Derivation Function (HKDF).
by HKDF shared_secret_x =ECDH(PK_s, SK_c) handkshake_secret =HKDF(shared_secret ...) Decrypt encrypted parts of ServerHello with a key derived by HKDF from handshake_secret Decapsulate enc with EK and obtain shared_secret_y shared_secret_y =Decap(DK, Enc) Concatenate shared_secret=shared_secret_x || shared_secret_y ServerHello - key_share (includes PK_s, Enc) - pre_shared_key - EncryptedExtensions - CertificateRequest - Certificate - CertificateVerify - Finished - Application Data [Note] In the key_share extension of ServerHello, a new public key and the shared_secret_y are sent at the same time. The steps in the client are similar to what the Server performs. That is, 1. Performs an ECDH key exchange to derive shared_secret_x 2. Decapsulates to derive shared_secret_y 3. Combines shared_secret_x and shared_secret_y to derive shared_secret, 4. Generates handshake_secret using the HKDF. Encrypted with a key derived by HKDF from handshake_secret.
Both the ClientHello and ServerHello packets get much bigger. ClientHello packet could be fragmented at lower layers. Unexpected behavior at intermediate switches The performance loss from segmentation and reassembly ML-KEM-768 Public key shared key for encapsulation X25519 public key Key size (byte) 1184 1088 32
ready Java already supports PQC APIs Hybrid + crypto-agility Start now HNDL is active! • ML-KEM • ML-DSA • SLH-DSA Other standards are now being discussed. Hybrid key exchange support in TLS 1.3 (JEP 527) expected in upcoming JDK. For safe migration Migration spans years; monitor and iterate.
Quantum Security Post-Quantum Cryptography | CSRC National Institute of Standards and Technology NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption | NIST Quantum-Ready FN-DSA (FIPS 206) Nears Draft Approval from NIST | DigiCert CSRC Presentations | CSRC How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits – Quantum [2505.15917] How to factor 2048 bit RSA integers with less than a million noisy qubits 2025_07_10_Capgemini_Post-Quantum-Cryptography-Report_News-Alert.pdf Quantum Readiness Gap: A DigiCert Study On Quantum-Safe Encryption Just 5% of Enterprises Have Deployed Quantum-Safe Encryption - Infosecurity Magazine National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems | The White House White House to require post-quantum encryption plans from agencies Recommendation on a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography | Shaping Europe’s digital future NCSC - NCSC.GOV.UK
[2408.05997v4] On the Formalization of Cryptographic Migration The PQC Migration Handbook - Guidelines for migrating to Post-Quantum Cryptography ML-KEM post-quantum TLS now supported in AWS KMS, ACM, and Secrets Manager | AWS Security Blog Amazon CloudFront launches TLS security policy with post-quantum support – AWS Announcing quantum-safe digital signatures in Cloud KMS | Google Cloud Blog AWS Private CA now supports post-quantum digital certificates - AWS Quantum-safe security: Progress towards next-generation cryptography | Microsoft Security Blog Cloudflare Radar Post-Quantum Cryptography Implementation Considerations in TLS | Akamai State of the post-quantum Internet in 2025 JEP 452: Key Encapsulation Mechanism API JEP 496: Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism JEP 497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm JEP 510: Key Derivation Function API JEP 527: Post-Quantum Hybrid Key Exchange for TLS 1.3 Java Secure Socket Extension (JSSE) Reference Guide
logico_jp
line_developers_tw
dynamis
oracle4engineer
ebiken
brainpadpr
cryptopeg
shibayu36
nagatsu
ykiyota
bitkey
miyatakoji
tomoki10
kneath
quramy
tammyeverts
reverentgeek
addyosmani
helmedeiros
mojombo
eileencodes
seathinner
codingconduct
katarinadahlin
![Government Deadlines Are Real US National Security Agency [NSA] 2027](https://files.speakerdeck.com/presentations/0aba0e886acd4823b524c09f74410523/slide_16.jpg){kind=link}
