-
CSR
-
Resolution: Approved
-
P3
-
None
-
source
-
minimal
-
Java API, Other
-
SE
Summary
Implementing the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) as defined in FIPS 204 in the Java Platform.
Problem
ML-DSA is a quantum-resistant digital signature algorithm selected by the National Institute of Standards and Technology (NIST) to ensure the security of cryptographic systems in the post-quantum era. Supporting ML-DSA is critical to future-proof applications running on the Java Platform against the emerging threat of quantum computing, which can potentially break current cryptographic algorithms.
Solution
- Define
ML-DSAand its three standardized parameter sets (ML-DSA-44,ML-DSA-65, andML-DSA-87) as Java Security Standard Algorithm Names. - Implement
KeyPairGenerator,KeyFactory, andSignatureimplementations of ML-DSA with these standardized parameter sets in theSUNsecurity provider. - Create new
NamedParameterSpecconstants forML-DSA-44,ML-DSA-65, andML-DSA-87. - Add the algorithms to the
KeyPairGenerator,KeyFactory, andSignaturerows of the SUN provider table of the JDK Security Providers Guide.
Specification
First, in src/java.base/share/classes/java/security/spec/NamedParameterSpec.java, add the following lines:
+ /**
+ * The ML-DSA-44 parameters
+ *
+ * @since 24
+ */
+ public static final NamedParameterSpec ML_DSA_44
+ = new NamedParameterSpec("ML-DSA-44");
+
+ /**
+ * The ML-DSA-65 parameters
+ *
+ * @since 24
+ */
+ public static final NamedParameterSpec ML_DSA_65
+ = new NamedParameterSpec("ML-DSA-65");
+
+ /**
+ * The ML-DSA-87 parameters
+ *
+ * @since 24
+ */
+ public static final NamedParameterSpec ML_DSA_87
+ = new NamedParameterSpec("ML-DSA-87");Second, in the Java Security Standard Algorithm Names document, add the following lines to the KeyPairGenerator section:
--------------- --------------------------------------------------------------
Algorithm Name Description
--------------- --------------------------------------------------------------
ML-DSA Generates keypairs for the Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
This algorithm supports keys with ML-DSA-44, ML-DSA-65,
and ML-DSA-87 parameter sets.
ML-DSA-44 Generates keypairs for the Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-44 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
ML-DSA-65 Generates keypairs for the Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-65 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
ML-DSA-87 Generates keypairs for the Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-87 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).Add the following lines to the KeyFactory section:
--------------- --------------------------------------------------------------
Algorithm Name Description
--------------- --------------------------------------------------------------
ML-DSA Keys for the Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
This algorithm supports keys with ML-DSA-44, ML-DSA-65,
and ML-DSA-87 parameter sets.
ML-DSA-44 Keys for the Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-44 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
ML-DSA-65 Keys for the Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-65 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
ML-DSA-87 Keys for the Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-87 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).Add the following lines to the Signature section:
------------------------------ --------------------------------------------------------------------------------------
Algorithm Name Description
------------------------------ --------------------------------------------------------------------------------------
ML-DSA The Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
This algorithm supports keys with ML-DSA-44, ML-DSA-65,
and ML-DSA-87 parameter sets.
ML-DSA-44 The Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-44 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
ML-DSA-65 The Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-65 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
ML-DSA-87 The Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-87 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).Add the following lines to the NamedParameterSpec section:
------ -----------------------------------
Name Description
------ -----------------------------------
ML-DSA-44 The Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-44 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
ML-DSA-65 The Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-65 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).
ML-DSA-87 The Module-Lattice-Based Digital Signature Algorithm
(ML-DSA) using the ML-DSA-87 parameter set as defined in
[FIPS 204](https://csrc.nist.gov/pubs/fips/204/final).- blocks
-
JDK-8339010 JEP 497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm
-
- Closed
-
- csr of
-
JDK-8298387 Implement JEP 497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm
-
- Resolved
-