Latest NIST PQC Standards and more – Bouncy Castle Java 1.79
2024-10-31
New release: Bouncy Castle Java 1.79
BIG News for Developers on the Latest NIST PQC Standards!
The Bouncy Castle Java 1.79 release has arrived, supporting the newly standardized NIST Post-Quantum Cryptography (PQC) algorithms, including the ML-KEM key encapsulation mechanism and the ML-DSA and SLH-DSA signature algorithms. These new PQC standards, finalized by NIST in August 2024, also include support for signature context strings, expanding secure applications for encryption and authentication.
What’s New for Developers Using Key Encapsulation Mechanisms (KEMs)?
This release will interest developers planning to use KEMs like ML-KEM for S/MIME-encrypted messaging, CMS-based protocols, long-term encryption-at-rest solutions, and issuing X.509 certificates based on KEMs, facilitating remote proof-of-possession.
Bouncy Castle Java's CMS API now supports using KEMs within Cryptographic Message Syntax, adhering to RFC 9269. This provides a flexible solution for encrypted communication and managing certification requests for ML-KEM-based certificates. Keyfactor’s EJBCA PKI will be among the first to implement this feature.
Updates to PGP Protocols: Argon2 and V6 Signature Support
Enhancements in this release also cover PGP, with the addition of Argon2 for password-based encryption (PBE) and the new V6 signature scheme. Argon2 improves security for cryptographic key generation, while V6 signatures introduce advanced functionality for RSA, Ed25519, and Ed448 algorithms, offering greater data capacity in signature subpackets compared to the older V4 format.
Stay Ahead with PQC Migration Strategies
While not yet finalized, the latest updates to Bouncy Castle Java 1.79 include recent revisions from the Composite Signatures and Delta/Chameleon Draft RFCs. In addition to X.509 hybrid certificates, these drafts support new methods for transitioning from classical cryptography to post-quantum standards.
Note: As these standards are still in draft, implementations are intended for testing and migration planning rather than production deployment.
But wait! There’s more!
In addition to the update, the Bouncy Castle team has also put together a guide with some details on the new standards, some differences of note as well as some pointers to proposed standards to help with migration. The guide also includes examples for using the new PQC standards with BC in both Java and C#. If that sounds interesting, follow the link and download the PQC Almanac.
Related resources
Cryptographic Security Evolution: Bouncy Castle Crypto API Attains FIPS 140-3 Certification