Bouncy Castle Java 1.79 Introduces Support for NIST PQC Standards

The Bouncy Castle Java 1.79 release has arrived, supporting the newly standardized NIST Post-Quantum Cryptography (PQC) algorithms, including the ML-KEM key encapsulation mechanism and the ML-DSA and SLH-DSA signature algorithms.

These new PQC standards, finalized by NIST in August 2024, also include support for signature context strings, expanding secure applications for encryption and authentication.

This release will interest developers planning to use KEMs like ML-KEM for S/MIME-encrypted messaging, CMS-based protocols, long-term encryption-at-rest solutions, and issuing X.509 certificates based on KEMs, facilitating remote proof-of-possession.

Bouncy Castle Java’s CMS API now supports using KEMs within Cryptographic Message Syntax, adhering to RFC 9269. This provides a flexible solution for encrypted communication and managing certification requests for ML-KEM-based certificates. Keyfactor’s EJBCA PKI will be among the first to implement this feature. 

Enhancements in this release also cover PGP, with the addition of Argon2 for password-based encryption (PBE) and the new V6 signature scheme. Argon2 improves security for cryptographic key generation, while V6 signatures introduce advanced functionality for RSA, Ed25519, and Ed448 algorithms, offering greater data capacity in signature subpackets compared to the older V4 format. 

While not yet finalized, the latest updates to Bouncy Castle Java 1.79 include recent revisions from the Composite Signatures and Delta/Chameleon Draft RFCs. In addition to X.509 hybrid certificates, these drafts support new methods for transitioning from classical cryptography to post-quantum standards.

Note: As these standards are still in draft, implementations are intended for testing and migration planning rather than production deployment.

In addition to the update, the BC team has also put together a guide with some details on the new standards, some differences of note as well as some pointers to proposed standards to help with migration. The guide also includes examples for using the new PQC standards with BC in both Java and C#. If that sounds interesting, follow the link and download the PQC Almanac 

Get expert support services for the Bouncy Castle APIs right from the creators and developers. Crypto Workshop is the commercial wing of the Bouncy Castle project — committed to ongoing development, FIPS certification, and support services. Keyfactor acquired Crypto Workshop and serves as the sponsor and support services provider for the project.