JDK now encodes ML-KEM and ML-DSA private keys in PKCS #8 using the DER-encoded ASN.1 CHOICE formats defined in Section 6 of draft-ietf-lamps-kyber-certificates-11 and Section 6 of RFC 9881. Two new security properties (`jdk.mlkem.pkcs8.encoding` and `jdk.mldsa.pkcs8.encoding`) control the encoding used when generating new keys or when translating keys via a `KeyFactory`. Valid values are "seed", "expandedKey", and "both" (case-insensitive). All three formats are supported when decoding.

When these algorithms were introduced in JDK 24, the encoding format was equivalent to the "expandedKey" choice. This release changes the default to "seed". As a result, ML-KEM and ML-DSA private keys generated by this JDK release will not be accepted by older releases by default, although keys generated by older releases are still readable by this release. To make a new private key acceptable by older releases, set the relevant property to "expandedKey" and use `KeyFactory.translateKey` to convert it to the older format.