- Use cases
- Resources & Inspiration
Updating PQC FIPS standards and ensuring interoperability testing is crucial in our ongoing quantum-ready journey. As a Bouncy Castle user, you now have the opportunity to experiment both internally and with others. This release specifically addresses the second issue, increasing the likelihood of successful interoperability.
Recent publications of FIPS PUB 203, FIPS PUB 204, and FIPS PUB 205 drafts have prompted BC Java 1.77 to update PQC algorithms—Kyber, Dilithium, and SPHINCS+—in alignment with these draft standards.
Furthermore, the public key certificates generated in this update underwent validation in collaboration with various vendors during the IETF PQC Certificate Hackathon. This process confirms that the BC based implementations will indeed interoperate seamlessly with other vendors. The success of any public key and certificate implementation hinges on its ability to interoperate effectively.
To enhance compliance for users of DTLS, BC 1.77 has resolved issues surrounding the supported groups extension. The DTLS API now exhibits fully compliant behavior when the supported groups extension is utilized. This improvement significantly reduces unexpected challenges during the debugging of DTLS connections.
For HSM (Hardware Security Module) users leveraging TLS/DTL APIs, the transition to newer PKCS#11 providers is apparent, with the adoption of a new naming convention for RSA PSS based signature algorithms and the discontinuation of the old one. In response, BC 1.77 has adapted the TLS/DTLS API to support providers offering RSA PSS signatures using the updated "RSAPSS" algorithm naming convention, in addition to the older "withMGF1" designation. This should ensure seamless integration with the evolving landscape of HSM technologies.
Set up your first quantum-ready PKI. Create your ML-DSA (Dilithium) Root CAs, Issuing CAs, and end entities for code signing. Then, sign data in SignServer. You can find all the tutorial videos and how-to guides you need here.