Skip to main content

Post-Quantum Cryptography

In the following algorithms are outline approved by the Federal Information Processing Standards (FIPS) for post-quantum cryptography:

These standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions to the NIST Post-Quantum Cryptography Standardization Project.

TypePublic-Key Encryption / KEMsDigital Signatures
Lattice-basedCRYSTALYS-KYBERCRYTALS_DILITHIUM
Hash-basedSPHINCS+
PQC-SKA

PQC algorithms support Securosys Smart Key Attributes, following the same principles as for classical keys.

Create PQC Key

POST: /v1/key

Description: Create key request.

    {
        "label": "pqc_mlkem_fips203_final",
        "password": null,
        "algorithm": "ML-KEM-1024",
        "attributes": {
            "sign": false,
            "decrypt": true,
            "derive": true,
            "unwrap": false,
            "extractable": false,
            "modifiable": true,
            "destroyable": true,
            "sensitive": true
        }
    }

Supported Algorithms: ML-KEM-512, ML-KEM-768, ML-KEM-1024

Please read and follow the Key Encapsulation Mechanism guide.

Import key by seed

POST: /v1/importKey

Description: Import key from a seed

{
    "label": "pqc_mldsa_fips204_final",
    "algorithm": "ML-DSA-65",
    "seed": "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8=",
    "addressFormat": null,
    "curveOid": null,
    "attributes": {
        "sign": true,
        "decrypt": false,
        "unwrap": false,
        "extractable": false,
        "modifiable": true,
        "destroyable": true,
        "sensitive": true
    },
    "policy": null
}

Supported Algorithms: ML-DSA-44, ML-DSA-65, ML-DSA-87

warning

For security reasons, it is recommended to use keys generated inside the HSM. Only import private keys when your use case requires using existing keys.

Sign a Payload

POST: /v1/synchronousSign

Description: Sign request, the payload (message to be signed) must be base64-encoded.

{
    "signRequest": {
        "payload": "U29tZVBheWxvYWQ=",
        "payloadType": "UNSPECIFIED",
        "signKeyName": "pqc_mldsa_fips204_final",
        "keyPassword": null,
        "signatureAlgorithm": "ML_DSA"
    }
}

Signature Algorithms: ML_DSA

Signature Prehashing Algorithms: SHA2_224_WITH_ML_DSA, SHA2_256_WITH_ML_DSA, SHA2_384_WITH_ML_DSA, SHA2_512_WITH_ML_DSA, SHA3_224_WITH_ML_DSA, SHA3_256_WITH_ML_DSA, SHA3_384_WITH_ML_DSA, SHA3_512_WITH_ML_DSA, SHAKE_128_WITH_ML_DSA, SHAKE_256_WITH_ML_DSA

Signature Size
AlgorithmRAW signature (Bytes)Base64-Encoded (Bytes)
ML-DSA-4424203228
ML-DSA-6533094412
ML-DSA-8746276172

Response (ML-DSA):

{
  "signature": "EvnLTaqpBFy82bmdGdjz3Ec7blyjVngT6ev1M2Jr1QsuDEfzsZafEcEspDT8GoeQcfrJzB2nS8bsNYSPXGnA8IREUJMWXMccI+bF7IHvCLf8iKrmquU89sXelRIBIluvkt6E0k0QWumk9MRL8l1VhjjhWMsQCVUOtbgfgNFGrWFPyf7WsPQ2TQZ4TbQYrQcrEzDyt3Y1OtphmK/umFrnOV/hxm9H8Z7tu7gs/LqRXXPO48eWHyQLWwe8i5DGCd8At6MAu76/25kn+J858H5Qu32o86Xg6HIgBHoPyyLHFA+AeTkMxIihBtTRYJMzSEPRGzgSo2EFTUNwQ9CIV7SnNm0bWmnwNwsn4aTL6T5Wsi99ClyL6AG+EqA4YVLGZBq827CH8PCZyeH/JWHH04u+zpKiv39TBeX1F8Bg3ZQhzu/FimP4nV48g7/oiVTisDYasgHLuXujULJd7LtZtVCgoA3qJxFzAOOeVzhDry8eJNMQ07fzboAM8KUVSdugSC/g3dzaSmuW9/JYvjjxbgyNlzDZdHcf9kSCRL058F3k1KBwirL1t7DrAw1HmUKs1KtP2bhEYZReXj6PjVaEPb2xGtlEm8qgih8kOrJbRVf5nD11wTefWb2SWEreV2yEdLx+96qhc6Cpw/4q9CTarT4Iktc2/N1DJW5W4IDZKNKXvPE5NbYBK6mtYAh7KzDw2KnqQeizyGJHMLk7gp4s/mM1LmfcelQ23bUVk7nTnajbQsdyJMm/AEuCm8PhZUDBzrSPeqV7VBPUjIhonnuYerT8KiINtxAjlf3iWvEuiRQfq8lRq1H/l//b/AZauXGktCopgKGR2ruImXOImKyNC0UQ4429bsrmS0vO8sgyVWVb8ChfHSdZbfOFzuKpnIR4uGpBMKbuv8ylJb1p+23v6472VhC+dWES3k2aYO6xAgdO9mm2b0piPA9wE7J5Mth1W0MALYtHMYsmAVO9IZsrzJgQK9j1bvqURGGHMz8lrVmD47rmBIesGUEj84RfXaW8FGt5swNvokdprB4mHmZsSfNE4SVd7ZeGZJGZ7HunLzQn8iuv1lns4qdDnlyw9D5VdpGcdWj9HcKQKao5dLXG2Bmbp4wIFEstMHyC1WF3CwgJmQwqW2nIS1AwfNTrq3AGKT6iuUFRXNbqLHYfy+MdJUlqeyNcDF3X6oXGpdrKDWN47HsbooKpMSv09vVsjb4Z5b6BUxQCnstWxY/gUeGphfcQT+tOxzHKX6iSYjxH115jaxzDKRomam4iOUaj0Q1ShbHrYhmhqj6waQFkMQYeBwI3a6gplDy0mrZATdHrfQZMR29ObTIiU8IoRjFLXm94PD+r+/+4Id2mHgI+0FC+0V8kHea/oinxQW19bVVBov+1igmXycvENCp4G8utDNHJvn3hUHDKvSZRUd4LPu6IEQCGffFfj2yQPEIOSuL72Hb5Pv3tvC4Dw/nLZoSjBqzfAvldEKgT7cN9VeQlT5IOUpAKW50NV5TU5wD+FocwVYxjDSsF07dr6t1DzI44tFmrEC9mThBX9qghnTrymU8ckKLy0v7FTyRLSwA+eDT4uBuv2lL1PyHn7yG+ECyW3EOQnAPGmswY6vFrFXd+YdzoOP2lmVP36tsewHr/bu+PC8K/1o2t2XXGsiNTIeHV5EsBor1uL/lD++W7qd4+NuUMy8DMr+8hNsuM5C6H5PPqbPoydTbI6V3gBQ2pmssNv6GaNLntgBAqlen3kHUGkPHASCDmB7+BeTUlRrRlHKFp9nnCXZ9H+b9OTmvOrGNhzXsdC10XSynlQ/bhbXnUonCkWpZHhIqD2m0e2/z0W4LCzVtzRGs9WnndLF7VHmQEb12O1qOUAWAXCikfutwVKNXNIe5H7jHqeNZYuzMrdGLv3gcYdehRApHCO+9LxOnjG/jgI6EEp3sEhMTquFS2vLGbsMMxbHbHVdrTJQ69Z/Y+NQqGny8oI8p8MnWhkwiekgNmeNru89fS+fmYB5YQtu/4y/n5qSgM0r5tjU+XpzHV4g4xI0LU/0DZaJD24omIDgp2esbCs3XufLnbYW/nphNjUfmzKMKy/Btb5wQOYhmww9NaGqV0oEKi3Vtre1IcwfGDWjEInP9weDgpIscSxuWLdxp2VmuXBvaYaoWjsigTnpNRCjLgtnxzu1DNhr2/1w/ft5A+GM4c0XAeHvV7/9OwVqsHR9+0buKTY1XVwqTXe89U9QsE6lNVfPTYAW21r9hcM+fYni6Nljkod6LghkVOCEKUDuCWCPJVXGKPgRvoRjmJoy7tjMKGQvez60gpmtJuJaLufUoSXQLV2Ivv4G75uM6U8VtO38y/owTmGdWTLjKc2JdIpgWXme4vgMtgX/tfe+Hz0Q4YybfcSK8cEKtRMam6as8zVJWMzzmKxJ0dMyn5G36pIuZ5FFS7hZLqlXkBQUF+wO2006JwGUaeFfd4R/WV83NT0Ek8fSVS7BUo7JdPMCK4nKmxX3oJecPVi9OvCSBReRDj+H2rL4b55/ERt8llAUKetiCAG4JTnofGEuz3/gZxSQKIGm0LihnxQvjybfNL1aeBniI/w+ytQJhffA3/y6/uAN4wGOTUGQLN3gqB5Qdt1SbqGgkxjQEKbVv60c1M6iF2TTRypLKPrUbx1K7e8XAQ2frbVJ7PqgliOiRoPUCe0pWXfsWZe0OP6vkiEez9Bg4Jj/58NQ8wG5Vpd9p1uQaC3OS/oeAn8OzABj4CHIet413VJHPu46cVgAMeOnzd6L5RaBFEDazPvEECVI0lZyy/7IC/7S+q5v1OFN6xEioYpT07XlfcUQsbXY22u6d/5tygxP07Vxm3i9CUCg71jre/Fx0s9A/YqiHQAixi47248piejaFwcnsFyulhwa5oJ2jJQ46xmfGVAxVFrNfzC2FbvJXNnhNcs5h9UvHhwednTWMY89qKWGgtazXMVGB5QpvyrzZlk2PuUt0Ot/zhsaZozFAAmlUFdz+9UezN3WRb1hLuUJm/UK5DX8KXgTIspy1SZwvZ1hQ6DHoXsvAQFlGlO3qQJ/9HgdqCTM8LGd8f1T42hjje37s4RHIhUBJeY+BbEE8vNpPDJ5uIZK35vJeth5Ej4BY9WUjjMRqnarcDChwkRkdgYWRncHF2eHyLz+P0/ihQVFhdd3h7m6mrwdDl8voACR87PVBbeX2Bnau/wMLl7PgKE1BqbnZ3fYOgtMLE0/IAAAAAAAAAAAAAABQkNkU="
}

Verify

POST: /v1/verify

Description Verify signature of a payload

Replace the signature from the previous response with the payload

{
  "verifySignatureRequest": {
    "signKeyName": "pqc_mldsa_fips204_final",
    "signatureAlgorithm": "ML_DSA",
    "payload": "U29tZVBheWxvYWQ=",
    "signature": "m2MX/8Murbk0rCWz5OD/3PtYoZbMDZkdTYH/BgWv7KCu8FVQJ7rhRNp/OlS9aNbCXSYzJmD...."
  }
}

Response:

{
  "signatureValid": true
}

Local Verify (BouncyCastle)

Public-Key

The publicKey can be retrieved by fetching the key-attributes.

  • POST /v1/key/attributes
/*
 * Copyright (c)2015-2024, Securosys SA
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * The above copyright notice and this permission notice shall be included
 * in all copies or substantial portions of the Software.
 */

import java.security.*;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;

/**
 * Illustrates ML-DSA/Dilithium signatures.
 */
public class VerifyMlDsaBcSample {
    public static void main(final String... args) throws Exception {
        final String base64Signature = "m2MX/8Murbk0rCWz5OD/3PtYoZbMDZkdTYH/BgWv7KCu8FVQJ7rhRNp/OlS9aNbCXSYzJmDVG4rvM8h8EBf294u6tQedXqtBScTjW3Dh8pB/IiC5Vga/tyQCZ7JbmjrabUgX3lOOYFIlEIBBevZOfjXtI2LqmRa4GTJfSqZjIS9sX1awZKhh89z/GUAnIvGWqpH5mrkWpAcwxu6jzLxLHzZorXUeLfJT8sM3at1hNel09632v3yjYZVS2Oze5pC/lmfop9lxlylGUrtxo8SyDW9JObS9hdpo4jmpk7w7SR/GCZsZoESKGGtX4OLEeiaw9TB/CWa9ZKpz1ikkqVnwtns/x3j/jOBa4/VA5FRG1bmQPwSKMRgErs6lELvvxzrg+gSaQvRwqd39w9n2TQaQEY/IxTnyepfcOLqjKNvHT6R6nfCAVHdPwKp88DIradqlvD5pTZOPmp/GGnj1bii37WTwBcBx+XXuYPRTSdG5jcsJA/R1EHgjGl+hWVw+AMH3kUKyDK4trLlpcifAaq5Cjjwa2QkvWChVw6j7LzgLZNJsUUu7/YfVVKktFY52oKORMMa4sFnrSFlXWZgUKxYUwMTle7rMar/F8EE3MEOPrZKHUb9Ht5bQ/e1EvwBEUfZKJH+nhHZ3f6CUJkdKG7ow6qm064Iz13k3DyZRTPgG3iakLDN/ZakJYDEcvH+S7lXANm3NQs6U0KqBf38rdtEV7ftM7omT/mviXMBJoKfhdEbqz4xk4/+GoDDhnELTVVny4SMnIhb3b+jjG5j2Ggr1wdDYbT957L4WAk1dgZPUGtClP1dkckY7moWcUsPgwsENN89utNfo31ou+PD0i6XxJHtD0Q/kQmrR3RtudPCOD5DmojzCt3QZkI6PsRPDnjhUL5DEuCaUnccLzWMzylzdmb93rIVc26BrwHqgacz0bXsuCouPDtjyAk3BfVJeuQi5G7mOR3h0p7o5hIagyXKVrgiIeNNRi78Oerkg5d8BsWEORsLJXqwJIMxOhGLCt3a+c35emOqiogVdJ1/gHrGkC7nxjqpb1LAsnSGsxDgeHWEHRR1gLVBXMfBGRPGc+kus6+sBMugt4K1wQU/2FWzj1iU6gBr/9b26qdigbf80So811KU+drZU2YinRpDmbAnEF/VI6lQcsHA8lIIV+j4stpyJ48CL0XEmtARnpkFKe3OaCiuiK5Aa2bTzYCkAdC3mejj+NQz9O0zlo9yDic/Tur+/oEXqQItRlkDeLsxvL1rcUpHDbW+Glq3SwLvmo4b5meZkhCwWkLkCx7aDRbAn1uv+KvVY2cAn4bBg1oiJkc8T8Cc2xGWwDjblD9A/I3LH+f4tJrPVHwgGP9r9xCKOfUNweebQTZlSCpUVJzcDK19c5G25FxL94uWldFGZ+mraGP/EP9BSaQLp1rowSl9WcVbwvQbBm3GIY/xXoPY7XjyLcne95LgsknIGLLcc++6srH/H9vHw6/OST3RzmUT0laznsYNmSuGTtTq16Zx8enAoG9QwHDkdP/cRhVPCld0c7xJ7KYIV7jrUpDdAq+w5OuE6rLadRP1j3L9W46olP/LEYBCMT6iLmreubhnc9LlxuyL3N3u5ZnO8knuH9rydP1dgF3p7qINrMxqtLZ8FdvhKhX7YRxbnfqnjQEE+4HnQ8/tmNebb3s3EGvnZcF7daGpQaEVfOr44YKR8i0KP7seGs6SUaXX8Qubw1skdG24mH+7bCBqDmhXJkTi/LnPiLAr6/XNrn/M1Y5SkrgiPB5TVwDxtaA8bBp2xbRtEnFEJPWG7cByJpGqXe7Ji4zGHhOpdYnxkmoSYtusz315HPs1cRpDDrGaQTv/O7UqWvQpbFDZxG26ZT9/cD77EhdQKr9P7V8QHjr0JWTOyKc3D/KtzuRoBNLHPW+62Xutx5C431idwroUgrhH7nPKGeNsAwVwdNxacq3jngUNy/JOZ7T90OpNbmvWp3F0W5wIRR0Ka9ulWzb6sQz5QT4xAHTUas0yxUPFLfx6sRayUIOPw7OprOOqsGjIkuiL0o+HnS2WxU80j62FVeezF8j2sUgFnhCzXJn+RNU/ApeeOAL/FaYM81jm3/x0pT+7EpxK1ZrnImrjESeDbtzbepAAMJK+KiczMhfR0OzndAMwc1ka+2YRgSaSljyNBSGYrKt8tP7KwChKvF9fmDDjwyHQqRopS1AzSieD+2+LqlnqfhBYBXsGjEM3caF9CnPmNUmsYlBOReOKgG5DGm9dYBknqhD4sQh8M6PXTrEH0HipGaixta1pHQfHzfc7BxNgJsQsJqBzVxGafgNBA1v/t2pefE6qImu33smq8lelS/OLPn/6WEk4gR7xa/mCqSSKPL1rHwyjmZpqp78aOXL2GEbnxY2lJBzVmwQ4pm7WERdADkb+XTj4On9s1dkKrGOV1nTq9v1/uuTuLs4XzRwekJ3JqBPike4Qyy4Wd84M01D7OcxR1RFDifthrFMmlzg8hMaBPbIhnF6ELhBl1hddcOKS4/bugUp4PzSPeB1P/Wc4dG94BW7nXfmkLbZ47i+knXJFrYzu0Z/dsm9nSW6TQXbLuH61J0IXI8xNKPsYLvKSM+FRu3N71WEj/3Yt7+Dm80+VT5mhO7PM2UKtOOuaN455oG/QM0+dO9xpGvJAGPyI3QtUusuhdCKJFdU4pw618iERjmzIy2Nf+OTbKFSkJ2p0Xgax+T4SiRTSRqBUpg+7qkD1xtLklkBF1ImTsZqchi8noKJzQWHCn6dFkQzrlWkRFrOHoA1Ej+aml/TYeEnSv+BzUrXcs+v20IRrK0AzI6biHlTiFfg6MmamMzjfxvDYgR9ujE4GhJVNLok3/04NNUgYWAOul515WUROAQbVGI+Cajtx5I5X+w+3HTFJoLAE2WDJ1QTjFWkkKQqbGSleaQYBIpxdHB55stEw7gIDOVuQhPK1x1x4jpiZWnLPtXQg1TqeHHiu5sZtAKWWUdlJyL4D3YBOsGnA53WTKkZ0b4ItIep9q8lDeEmRMXw0LXN119U8+eQgGZk+LUok8IxUQtQ1VUU7T9toq9KGqADV0xjCH93ZlpDX0Bs/Jh+8CCdHg5yThz1ScjQ8Ns72rPRIM+VpemzsAKDxZa2ypscPOz9PY4OsfKjd/j5quzNTpJik2RGdxhIuew8TeBxEtPGS9xc76AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8ZJS4=";
        final String payload = "U29tZVBheWxvYWQ=";
        final String publicKey = "MIIFMjALBglghkgBZQMEAxEDggUhAKVRzhxw5evKuIugL7QL+efOGNV7RORMB23pFkkZ2HoHqbPzOhdIUWLEeY1wv2mN7zV7SVdrjaTbuaC5prFfALwVEowqaS+VIZQ4dJj/s7GfhE3dAnZdZv3aGokGduwdMqIZvqh5rSTFXHboFfA88Pzfi8Oq04N49TKvKZga+nQE1wXnKq9XCu5PleBy2jWPIrLuE53wj0WRTqgqma/jeIkHbdZJn3+doLwBy76jLhAFtDOjzXMu5PDKmavUIhuPwksJbwJ+PJWbStRFbCaeCcg5unvkDGqNy3XIqopX/lb+k7YaAAeTjQuJYP2hta0ig0cyIPx8mC2Cwn6uPE+1+OMMMFGdPsCK8EQa6DEkYWb83OYC3Le3GLfB2go0crzT9kBirBZXVZxxCKJemQFjISPuRza3P76zAr5LhrZzbfjehcytfTVfNMAl+EC2/c9Ksv19NYKR5r7JSdnSQTCghO40aRPIjMvTyyfCgMYj8jcVjFoqZJeIAMk8xf3LRFVCQxYV2seXZUvsQIXxo5gEYFGPFmARGJmnqxjoDGGkbBXAW5Q7HEuUG2w9cp8pW+K0u4F0jLyfE3GN/NrIsaBunq1jv2CJUglnf9AgRdGX454BUagB5Ksu5gFraKJ85o2GN/GPA0DynIg4KtM07YBt3U8J66iBXIuNV1/wpmI4I9zHKLUsUnBM6qbY0g6ozOx33XQ2LjBeWWGRA3n83pNjBb7JtYbQOW7PRGv7OmxPQk0ZGND6OBfdRAblLbiLdjKuhuB8KyxXrem2grRFXP1tsRwR9WCI0WNjUj0DbbDtmKiVhOxr0wNKM+5VziabRA1GEaM2TdnxSphincs_plus1vyAQRrLxTinjzDriW/EzbDg57pLQdwyYBBTrA3e3CNyZwo1TQSrYnjXiMzr/yqkYBaHquL7Q0acfwjnOPf532/MMbP8QJ7nyyoIxM7024u3AtnD0lH4vuUN79tCRWUANxTPYB4UfUl0YVmuxBXwTMjUpOmFNMDS3I8CZZQ5+z3dE9oGjEF1IE82/fsEOkNKNRRUNSif4uJ5CRdkBzJNijDRxXZ5hUv460xAbLmxO1DWoyduLnd5ur6/J5He52nFgUBgGB5PHKQfJR2a4JSkB40e9TuUWzdwddIqxkqO/hGHfL//dMqNGBlclAOYMHKTsalg780Uc6wBqL2dU/tSbHlsL2HU47CaAKuAv8q5VFsZ+niNR0s9mqpJX5QDLFJDfPJucClp6oP57LQZZGc6KcnS7azQ5ODWVuBsa4n63VpZVPdtWLGOoLNB1Qz6uvODlwuWRuO3dTNYxp3xSoFGwv67NiVorPATsetVsA6J0BFV48HQCA4SNwZ0r69KdNyEATDV4uXoaXZnNpe3drOZ8cwICzMRIks7QJUYnDXcW5s0dICKCScgChz8r2GiaYulWje1sAd2YikUJwgC9Gz11IxmvBhUh16ydr+KVRbcgzHvf1a09krdnCsnOtWi7fFsSDZG50myUIlsj8b6atEpzobfp1DrL7eHvCrZUroazsmyL9Y4R/gWsAgQ2K53vxzXch45xXzI/5fbcyHsXxe1I6dKs1bySassSlLuE9g3IkR3HFNyTD4OYapywiLn5uWx2rAHVey0JEE3KauNvAT3IMRkbuH6IFj+3lIz35/06agnbWyaCgZb3VlSck0NL0XCIuSj2T8WyFgf3V9RQCm3x7C+NriOu3JypE046Vl8jkMjJfj0x+XbLgfv+qzdZ7COGDclmYxst/o2yoc=";

        Security.addProvider((Provider)Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider").getConstructor().newInstance());
        final Provider provider = Security.getProvider("BC");

        final String mlDsaSignatureAlgorithm = "ML-DSA";
        final KeyFactory mlDsaKeyFactory = KeyFactory.getInstance(mlDsaSignatureAlgorithm, provider);
        PublicKey mlDsaPublicKey = mlDsaKeyFactory.generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(publicKey)));

        final Signature mlDsaSignature = Signature.getInstance(mlDsaSignatureAlgorithm, provider);
        mlDsaSignature.initVerify(mlDsaPublicKey);
        mlDsaSignature.update(Base64.getDecoder().decode(payload));
        final boolean verified = mlDsaSignature.verify(Base64.getDecoder().decode(base64Signature));

        System.out.println("verified: " + verified);
    }
}
Get started withCloudHSM for free.
Other questions?Ask Sales.
Last updated on
Feedback
Need help?