Support Post-Quantum Cryptography (PQC) in ACCP #459
Description
Context: AWS is progressively migrating to post-quantum cryptography [1] as part of its shared cloud security compliance model [2]. While AWS is explicit about supporting PQC in its foundational native libraries (i.e., aws-lc and s2n), it, to my knowledge, did not communicate a commitment or roadmap related to ACCP.
Question: Specifically for ACCP, I'd like to inquire if, or respectively when, ACCP will add support for exposing PQC algorithms that are already standardized and shipping as part of aws-lc, namely ML-KEM (FIPS 203 [3]) for key encapsulation, and ML-DSA (FIPS 204 [4]) for digital signatures.
Those two algorithms are already available in OpenJDK 24 and onwards (cf. JEP 496 [5] and JEP 497 [6]). Exposing the corresponding aws-lc implementations via ACCP would directory support ACCP's mission:
"The Amazon Corretto Crypto Provider (ACCP) is a collection of high-performance cryptographic implementations exposed via the standard JCA/JCE interfaces. This means that it can be used as a drop in replacement for many different Java applications. [...] As of 2.0.0, algorithms exposed by ACCP are primarily backed by AWS-LC's implementations."
Thank you in advance for clarifying your plans for supporting post-quantum cryptography in ACCP.
- "AWS Post-Quantum Cryptography Migration Plan" (https://aws.amazon.com/blogs/security/aws-post-quantum-cryptography-migration-plan)
- "AWS Cloud Security Shared Responsibility Model" (https://aws.amazon.com/compliance/shared-responsibility-model)
- "FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard" (https://csrc.nist.gov/pubs/fips/203/final)
- "FIPS 204: Module-Lattice-Based Digital Signature Standard" (https://csrc.nist.gov/pubs/fips/204/final)
- "JEP 496: Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism" (https://openjdk.org/jeps/496)
- "JEP 497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm" (https://openjdk.org/jeps/497)