ПОСТКВАНТОВА КРИПТОГРАФІЯ В ЕКОСИСТЕМІ JAVA

Yu. F. Oleksiichuk

doi:10.32782/2521-6643-2026-2-72.26

Yu. F. Oleksiichuk Poltava University of Economics and Trade https://orcid.org/0000-0002-0585-3307

DOI: https://doi.org/10.32782/2521-6643-2026-2-72.26

Keywords: post-quantum cryptography, ML-KEM, ML-DSA, SLH-DSA, Java, BouncyCastle, Spring Boot, JCA, JWT, migration

Abstract

The completion of NIST standardization in 2024, with the publication of ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205), has confronted Java developers with a concrete practical question: how to integrate these algorithms into real-world applications using the available platform tools. The Java ecosystem offers several fundamentally different integration paths depending on the JDK version; however, a systematic description of these approaches from a practitioner’s perspective remains insufficiently represented in the scientific literature. This paper analyzes the evolution of post-quantum cryptography support in the Java platform from JDK 17 through JDK 25, with an outlook toward JDK 27. The Java Cryptography Architecture and the role of the provider model as a foundation for implementing the crypto agility concept are examined. Two API levels of the BouncyCastle 1.83 library – the JCA provider and the low-level lightweight API – are compared, and the appropriate use cases for each are identified. It is established that native support in JDK 25 covers only ML-KEM and ML-DSA, while SLH-DSA remains available exclusively through BouncyCastle across all JDK versions, demonstrating the asynchronous nature of NIST standardization and JDK platform integration. Practical code examples are developed and analyzed for two typical scenarios. The first involves hybrid JWT token signing using both classical ECDSA and post-quantum ML-DSA simultaneously in a Spring Boot application, ensuring backward compatibility with existing infrastructure. The second addresses secure inter-service communication via ML-KEM with public key authentication using ML-DSA to protect against man-in-the-middle attacks. It is shown that direct use of ML-DSA in JWT is incompatible with existing libraries due to the absence of corresponding algorithms in RFC 7515 and RFC 7518, and practical mitigation approaches for the transition period are proposed, including reference tokens and token introspection. A four-phase migration strategy for enterprise Java systems is proposed: inventory of cryptographic dependencies, introduction of crypto agility through centralized algorithm configuration in Spring Boot, a hybrid mode of parallel classical and post-quantum algorithm usage, and full migration following PQC TLS standardization in JDK 27. The results of this work can be directly applied by Java developers when planning and implementing the migration of enterprise applications to postquantum cryptographic standards

References

1. Prokopovych-Tkachenko D. I., Khrushkov B. S., Derkach Y. O. Post-quantum threats to information security: challenges at the global and national levels. Systems and Technologies, 2025, 69(1). P. 118–123. https://doi.org/10.32782/2521-6643-2025-1-69.14
2. Prokopovych-Tkachenko D. I. Emergent-adaptive method of assessing the impact of the post-quantum environment on the information security of the state. Systems and Technologies, 2024, 68(2). P. 86–94. https://doi.org/10.32782/2521-6643-2024-2-68.10
3. Federal Office for Information Security. Status of Quantum Computer Development, V2.2. 2025. URL:
https://www.bsi.bund.de/dok/study_status_quantum_computer
4. NIST. FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard. Federal Information Processing Standard. National Institute of Standards and Technology. Gaithersburg, MD. 2024. https://doi.org/10.6028/NIST.FIPS.203.
5. NIST. FIPS 204: Module-Lattice-Based Digital Signature Standard. Federal Information Processing Standard. National Institute of Standards and Technology. Gaithersburg, MD. 2024. https://doi.org/10.6028/NIST. FIPS.204
6. NIST. FIPS 205: Stateless Hash-Based Digital Signature Standard. Federal Information Processing Standard. National Institute of Standards and Technology. Gaithersburg, MD. 2024. https://doi.org/10.6028/NIST.FIPS.205
7. Nita S. L., Mihailescu M. I. JDK 21: New Features. In Cryptography and Cryptanalysis in Java: Creating and Programming Advanced Algorithms with Java SE 21 LTS and Jakarta EE 11 (pp. 19–37). Berkeley, CA: Apress. 2024. https://doi.org/10.1007/979-8-8688-0441-0_2
8. Mosca M., Piani M., Neill B. Quantum Threat Timeline Research Report 2024. Global Risk Institute. December 2024. URL: https://www.evolutionq.com/publications/quantum-threat-timeline-research-report-2024
9. Campbell R. Enterprise Migration to Post-Quantum Cryptography: Timeline Analysis and Strategic Frameworks. Computers. 2026; 15(1):9. https://doi.org/10.3390/computers15010009
10. NIST. (2025). Considerations for Achieving Cryptographic Agility: Strategies and Practices. NIST CSWP 39. https://doi.org/10.6028/NIST.CSWP.39
11. Marchesi L., Marchesi M., Tonelli R. Reviewing Crypto-Agility and Quantum Resistance in the Light of Agile Practices. Agile Processes in Software Engineering and Extreme Programming – Workshops. XP XP 2022 2023. Lecture Notes in Business Information Processing, vol 489. Springer, Cham, 2024. https://doi.org/10.1007/978-3-
031-48550-3_21
12. Cho J., Lee C., Kim E., Lee J., Cho B. Software-Defined Cryptography: A Design Feature of Cryptographic Agility. Cryptology ePrint Archive, Paper 2024/518, 2024. URL: https://eprint.iacr.org/2024/518
13. OpenJDK. JEP 452: Key Encapsulation Mechanism API. 2023. URL: https://openjdk.org/jeps/452
14. OpenJDK. JEP 496: Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism. 2024. URL: https://openjdk.org/jeps/496
15. OpenJDK. JEP 527: Post-Quantum Hybrid Key Exchange for TLS 1.3. 2026. URL: https://openjdk.org/jeps/527
16. José A. Montenegro Ruben Rios, & Javier Lopez-Cerezo. A performance evaluation framework for post-quantum TLS. Future Generation Computer Systems, Volume 175, 2026. https://doi.org/10.1016/j.future.2025.108062
17. National Cyber Security Centre. Timelines for Migration to Post-Quantum Cryptography. NCSC Guidance. 2025. URL: https://www.ncsc.gov.uk/guidance/pqc-migration-timelines
18. Grover L. K. A fast quantum mechanical algorithm for database search. In Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, 1996, pp. 212–219. https://doi.org/10.1145/237814.237866
19. Grassl, M., Langenberg, B., Roetteler, M., Steinwandt, R. Applying Grover’s algorithm to AES: quantum resource estimates. In International Workshop on Post-Quantum Cryptography, 2016, pp. 29–43. Cham: Springer International Publishing. https://doi.org/10.48550/arXiv.1512.04965
20. Jones M., Bradley J., Sakimura N. JSON Web Signature (JWS), RFC 7515, May 2015. https://doi.org/10.17487/RFC7515
21. Jones M. JSON Web Algorithms (JWA), RFC 7518, May 2015. https://doi.org/10.17487/RFC7518
22. Richer J. OAuth 2.0 Token Introspection, RFC 7662, October 2015. https://doi.org/10.17487/RFC7662

POST-QUANTUM CRYPTOGRAPHY IN THE JAVA ECOSYSTEM

Abstract

References

Most read articles by the same author(s)