The JDK now encodes ML-KEM and ML-DSA private keys in PKCS #8 format using the DER-encoded ASN.1 CHOICE formats defined in Section 6 of draft-ietf-lamps-kyber-certificates-11 and Section 6 of RFC 9881. Two new security properties (`jdk.mlkem.pkcs8.encoding` and `jdk.mldsa.pkcs8.encoding`) control the encoding used when generating new keys with a `KeyPairGenerator` or when translating keys with a `KeyFactory`. Valid values are "seed", "expandedKey", and "both" (case-insensitive). If a system property of the same name is also specified, it supersedes the security property value. All three formats are supported when decoding previously encoded private keys with a `KeyFactory`.

When these algorithms were introduced in JDK 24, the encoding format was equivalent to the "expandedKey" choice. This release changes the default to "seed". As a result, ML-KEM and ML-DSA private keys generated by this JDK release will not be accepted by older releases by default, although keys generated by older releases are still readable by this release. To make a new private key acceptable by older releases, set the relevant property to "expandedKey" and use `KeyFactory.translateKey` to convert it to the older format. This change is planned to be backported to update releases, so the interoperability impact is expected to be temporary.