-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
P2
-
Affects Version/s: 25
-
Component/s: security-libs
-
None
When ML-KEM and ML-DSA were introduced in JDK 24, the RFCs defining private key encodings for these algorithms had not been published yet. The drafts at the time, draft-ietf-lamps-kyber-certificates and draft-ietf-lamps-dilithium-certificates, described the private key only as βan opaque byte sequence,β without specifying a concrete format.
Based on that, the JDK 24 implementation adopted the encodings defined in NIST FIPS 203 and 204 β specifically, using the private key output from the ML-KEM.KeyGen function (Section 7.1 of FIPS 203), and the ML-DSA.KeyGen function (Section 5.1 of FIPS 204).
Now that RFC XXX (ML-KEM) and RFC 9881 (ML-DSA) have been published, their private key formats are formally defined as DER-encoded ASN.1 CHOICE types. For example, for ML-KEM-512:
ML-KEM-512-PrivateKey ::= CHOICE {
seed [0] OCTET STRING (SIZE (64)),
expandedKey OCTET STRING (SIZE (1632)),
both SEQUENCE {
seed OCTET STRING (SIZE (64)),
expandedKey OCTET STRING (SIZE (1632))
}
}
Similar structures are defined for ML-KEM-768, ML-KEM-1024, ML-DSA-44, ML-DSA-65, and ML-DSA-87.
The JDK 24 implementation currently uses the second option, `expandedKey OCTET STRING`. To comply with the final RFCs, we need to update our implementation to support the other two CHOICEs as well.
Based on that, the JDK 24 implementation adopted the encodings defined in NIST FIPS 203 and 204 β specifically, using the private key output from the ML-KEM.KeyGen function (Section 7.1 of FIPS 203), and the ML-DSA.KeyGen function (Section 5.1 of FIPS 204).
Now that RFC XXX (ML-KEM) and RFC 9881 (ML-DSA) have been published, their private key formats are formally defined as DER-encoded ASN.1 CHOICE types. For example, for ML-KEM-512:
ML-KEM-512-PrivateKey ::= CHOICE {
seed [0] OCTET STRING (SIZE (64)),
expandedKey OCTET STRING (SIZE (1632)),
both SEQUENCE {
seed OCTET STRING (SIZE (64)),
expandedKey OCTET STRING (SIZE (1632))
}
}
Similar structures are defined for ML-KEM-768, ML-KEM-1024, ML-DSA-44, ML-DSA-65, and ML-DSA-87.
The JDK 24 implementation currently uses the second option, `expandedKey OCTET STRING`. To comply with the final RFCs, we need to update our implementation to support the other two CHOICEs as well.
- csr for
-
JDK-8349163 Switch to latest ML-KEM and ML-DSA private key encoding
-
- Draft
-
- duplicates
-
-
- Closed
-
- is blocked by
-
JDK-8339009 JEP 496: Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism
-
- Closed
-
-
-
- Closed
-
- links to
-
Review(master)
openjdk/jdk/23376
-
Review(master)
openjdk/jdk/24969
(1 links to)