Skip to main content

Post-Quantum Cryptography

In the following algorithms are outline approved by the Federal Information Processing Standards (FIPS) for post-quantum cryptography:

  • FIPS 203 (CRYSTALYS-KYBER), Module-Lattice-Based Key-Encapsulation Mechanism Standard
  • FIPS 204 (CRYTALS-DILITHIUM), Module-Lattice-Based Digital Signature Standard
  • FIPS 205 (SPHINCS+), Stateless Hash-Based Digital Signature Standard

These standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions to the NIST Post-Quantum Cryptography Standardization Project.

TypePublic-Key Encryption / KEMsDigital Signatures
Lattice-basedCRYSTALYS-KYBERCRYTALS_DILITHIUM
Hash-basedSPHINCS+


PQC - Rest API (Example)

PQC-SKA

PQC algorithms do support Securosys Smart Key Attributes, following the same principles. Click here

Create PQC-Key

POST: /v1/key

Description: Create key request.

{
"label": "pqc_dilithium_fips204_final",
"password": null,
"algorithm": "ML-DSA-44",
"attributes": {
"sign": true,
"decrypt": false,
"unwrap": false,
"extractable": false,
"modifiable": true,
"destroyable": true,
"sensitive": true
}
}

Supported Algorithms: ML-DSA-44, ML-DSA-65, ML-DSA-87

Sign a Payload

POST: /v1/synchronousSign

Description: Sign request, the payload (message to be signed) must be base64-encoded.

Signing-Algorithms

The signatureAlgorithm is: DILITHIUM, KYBER, SPHINCS_PLUS, or LMS

{
"signRequest": {
"payload": "U29tZVBheWxvYWQ=",
"payloadType": "UNSPECIFIED",
"signKeyName": "pqc_dilithium_fips204_final",
"keyPassword": null,
"signatureAlgorithm": "DILITHIUM"
}
}

Supported Algorithms: DILITHIUM

Signature Size
AlgorithmRAW signature (Bytes)Base64-Encoded (Bytes)
ML-DSA-4424203228
ML-DSA-6533094412
ML-DSA-8746276172

Response (Dilithium):

{
"signature": "EvnLTaqpBFy82bmdGdjz3Ec7blyjVngT6ev1M2Jr1QsuDEfzsZafEcEspDT8GoeQcfrJzB2nS8bsNYSPXGnA8IREUJMWXMccI+bF7IHvCLf8iKrmquU89sXelRIBIluvkt6E0k0QWumk9MRL8l1VhjjhWMsQCVUOtbgfgNFGrWFPyf7WsPQ2TQZ4TbQYrQcrEzDyt3Y1OtphmK/umFrnOV/hxm9H8Z7tu7gs/LqRXXPO48eWHyQLWwe8i5DGCd8At6MAu76/25kn+J858H5Qu32o86Xg6HIgBHoPyyLHFA+AeTkMxIihBtTRYJMzSEPRGzgSo2EFTUNwQ9CIV7SnNm0bWmnwNwsn4aTL6T5Wsi99ClyL6AG+EqA4YVLGZBq827CH8PCZyeH/JWHH04u+zpKiv39TBeX1F8Bg3ZQhzu/FimP4nV48g7/oiVTisDYasgHLuXujULJd7LtZtVCgoA3qJxFzAOOeVzhDry8eJNMQ07fzboAM8KUVSdugSC/g3dzaSmuW9/JYvjjxbgyNlzDZdHcf9kSCRL058F3k1KBwirL1t7DrAw1HmUKs1KtP2bhEYZReXj6PjVaEPb2xGtlEm8qgih8kOrJbRVf5nD11wTefWb2SWEreV2yEdLx+96qhc6Cpw/4q9CTarT4Iktc2/N1DJW5W4IDZKNKXvPE5NbYBK6mtYAh7KzDw2KnqQeizyGJHMLk7gp4s/mM1LmfcelQ23bUVk7nTnajbQsdyJMm/AEuCm8PhZUDBzrSPeqV7VBPUjIhonnuYerT8KiINtxAjlf3iWvEuiRQfq8lRq1H/l//b/AZauXGktCopgKGR2ruImXOImKyNC0UQ4429bsrmS0vO8sgyVWVb8ChfHSdZbfOFzuKpnIR4uGpBMKbuv8ylJb1p+23v6472VhC+dWES3k2aYO6xAgdO9mm2b0piPA9wE7J5Mth1W0MALYtHMYsmAVO9IZsrzJgQK9j1bvqURGGHMz8lrVmD47rmBIesGUEj84RfXaW8FGt5swNvokdprB4mHmZsSfNE4SVd7ZeGZJGZ7HunLzQn8iuv1lns4qdDnlyw9D5VdpGcdWj9HcKQKao5dLXG2Bmbp4wIFEstMHyC1WF3CwgJmQwqW2nIS1AwfNTrq3AGKT6iuUFRXNbqLHYfy+MdJUlqeyNcDF3X6oXGpdrKDWN47HsbooKpMSv09vVsjb4Z5b6BUxQCnstWxY/gUeGphfcQT+tOxzHKX6iSYjxH115jaxzDKRomam4iOUaj0Q1ShbHrYhmhqj6waQFkMQYeBwI3a6gplDy0mrZATdHrfQZMR29ObTIiU8IoRjFLXm94PD+r+/+4Id2mHgI+0FC+0V8kHea/oinxQW19bVVBov+1igmXycvENCp4G8utDNHJvn3hUHDKvSZRUd4LPu6IEQCGffFfj2yQPEIOSuL72Hb5Pv3tvC4Dw/nLZoSjBqzfAvldEKgT7cN9VeQlT5IOUpAKW50NV5TU5wD+FocwVYxjDSsF07dr6t1DzI44tFmrEC9mThBX9qghnTrymU8ckKLy0v7FTyRLSwA+eDT4uBuv2lL1PyHn7yG+ECyW3EOQnAPGmswY6vFrFXd+YdzoOP2lmVP36tsewHr/bu+PC8K/1o2t2XXGsiNTIeHV5EsBor1uL/lD++W7qd4+NuUMy8DMr+8hNsuM5C6H5PPqbPoydTbI6V3gBQ2pmssNv6GaNLntgBAqlen3kHUGkPHASCDmB7+BeTUlRrRlHKFp9nnCXZ9H+b9OTmvOrGNhzXsdC10XSynlQ/bhbXnUonCkWpZHhIqD2m0e2/z0W4LCzVtzRGs9WnndLF7VHmQEb12O1qOUAWAXCikfutwVKNXNIe5H7jHqeNZYuzMrdGLv3gcYdehRApHCO+9LxOnjG/jgI6EEp3sEhMTquFS2vLGbsMMxbHbHVdrTJQ69Z/Y+NQqGny8oI8p8MnWhkwiekgNmeNru89fS+fmYB5YQtu/4y/n5qSgM0r5tjU+XpzHV4g4xI0LU/0DZaJD24omIDgp2esbCs3XufLnbYW/nphNjUfmzKMKy/Btb5wQOYhmww9NaGqV0oEKi3Vtre1IcwfGDWjEInP9weDgpIscSxuWLdxp2VmuXBvaYaoWjsigTnpNRCjLgtnxzu1DNhr2/1w/ft5A+GM4c0XAeHvV7/9OwVqsHR9+0buKTY1XVwqTXe89U9QsE6lNVfPTYAW21r9hcM+fYni6Nljkod6LghkVOCEKUDuCWCPJVXGKPgRvoRjmJoy7tjMKGQvez60gpmtJuJaLufUoSXQLV2Ivv4G75uM6U8VtO38y/owTmGdWTLjKc2JdIpgWXme4vgMtgX/tfe+Hz0Q4YybfcSK8cEKtRMam6as8zVJWMzzmKxJ0dMyn5G36pIuZ5FFS7hZLqlXkBQUF+wO2006JwGUaeFfd4R/WV83NT0Ek8fSVS7BUo7JdPMCK4nKmxX3oJecPVi9OvCSBReRDj+H2rL4b55/ERt8llAUKetiCAG4JTnofGEuz3/gZxSQKIGm0LihnxQvjybfNL1aeBniI/w+ytQJhffA3/y6/uAN4wGOTUGQLN3gqB5Qdt1SbqGgkxjQEKbVv60c1M6iF2TTRypLKPrUbx1K7e8XAQ2frbVJ7PqgliOiRoPUCe0pWXfsWZe0OP6vkiEez9Bg4Jj/58NQ8wG5Vpd9p1uQaC3OS/oeAn8OzABj4CHIet413VJHPu46cVgAMeOnzd6L5RaBFEDazPvEECVI0lZyy/7IC/7S+q5v1OFN6xEioYpT07XlfcUQsbXY22u6d/5tygxP07Vxm3i9CUCg71jre/Fx0s9A/YqiHQAixi47248piejaFwcnsFyulhwa5oJ2jJQ46xmfGVAxVFrNfzC2FbvJXNnhNcs5h9UvHhwednTWMY89qKWGgtazXMVGB5QpvyrzZlk2PuUt0Ot/zhsaZozFAAmlUFdz+9UezN3WRb1hLuUJm/UK5DX8KXgTIspy1SZwvZ1hQ6DHoXsvAQFlGlO3qQJ/9HgdqCTM8LGd8f1T42hjje37s4RHIhUBJeY+BbEE8vNpPDJ5uIZK35vJeth5Ej4BY9WUjjMRqnarcDChwkRkdgYWRncHF2eHyLz+P0/ihQVFhdd3h7m6mrwdDl8voACR87PVBbeX2Bnau/wMLl7PgKE1BqbnZ3fYOgtMLE0/IAAAAAAAAAAAAAABQkNkU="
}

Verify

POST: /v1/verify

Description Verify signature of a payload

Replace the signature from the previous response with the payload

{
"verifySignatureRequest": {
"signKeyName": "pqc_dilithium_fips204_final",
"signatureAlgorithm": "DILITHIUM",
"payload": "U29tZVBheWxvYWQ=",
"signature": "m2MX/8Murbk0rCWz5OD/3PtYoZbMDZkdTYH/BgWv7KCu8FVQJ7rhRNp/OlS9aNbCXSYzJmD...."
}
}

Response

{
"signatureValid": true
}

Local Verify (BouncyCastle)

Public-Key

The publicKey can be retrieved by fetching the key-attributes.

  • POST /v1/key/attributes
/*
* Copyright (c)2015-2024, Securosys SA
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*/

import java.security.*;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;

/**
* Illustrates ML-DSA/Dilithium signatures.
*/
public class VerifyMlDsaBcSample {
public static void main(final String... args) throws Exception {
final String base64Signature = "m2MX/8Murbk0rCWz5OD/3PtYoZbMDZkdTYH/BgWv7KCu8FVQJ7rhRNp/OlS9aNbCXSYzJmDVG4rvM8h8EBf294u6tQedXqtBScTjW3Dh8pB/IiC5Vga/tyQCZ7JbmjrabUgX3lOOYFIlEIBBevZOfjXtI2LqmRa4GTJfSqZjIS9sX1awZKhh89z/GUAnIvGWqpH5mrkWpAcwxu6jzLxLHzZorXUeLfJT8sM3at1hNel09632v3yjYZVS2Oze5pC/lmfop9lxlylGUrtxo8SyDW9JObS9hdpo4jmpk7w7SR/GCZsZoESKGGtX4OLEeiaw9TB/CWa9ZKpz1ikkqVnwtns/x3j/jOBa4/VA5FRG1bmQPwSKMRgErs6lELvvxzrg+gSaQvRwqd39w9n2TQaQEY/IxTnyepfcOLqjKNvHT6R6nfCAVHdPwKp88DIradqlvD5pTZOPmp/GGnj1bii37WTwBcBx+XXuYPRTSdG5jcsJA/R1EHgjGl+hWVw+AMH3kUKyDK4trLlpcifAaq5Cjjwa2QkvWChVw6j7LzgLZNJsUUu7/YfVVKktFY52oKORMMa4sFnrSFlXWZgUKxYUwMTle7rMar/F8EE3MEOPrZKHUb9Ht5bQ/e1EvwBEUfZKJH+nhHZ3f6CUJkdKG7ow6qm064Iz13k3DyZRTPgG3iakLDN/ZakJYDEcvH+S7lXANm3NQs6U0KqBf38rdtEV7ftM7omT/mviXMBJoKfhdEbqz4xk4/+GoDDhnELTVVny4SMnIhb3b+jjG5j2Ggr1wdDYbT957L4WAk1dgZPUGtClP1dkckY7moWcUsPgwsENN89utNfo31ou+PD0i6XxJHtD0Q/kQmrR3RtudPCOD5DmojzCt3QZkI6PsRPDnjhUL5DEuCaUnccLzWMzylzdmb93rIVc26BrwHqgacz0bXsuCouPDtjyAk3BfVJeuQi5G7mOR3h0p7o5hIagyXKVrgiIeNNRi78Oerkg5d8BsWEORsLJXqwJIMxOhGLCt3a+c35emOqiogVdJ1/gHrGkC7nxjqpb1LAsnSGsxDgeHWEHRR1gLVBXMfBGRPGc+kus6+sBMugt4K1wQU/2FWzj1iU6gBr/9b26qdigbf80So811KU+drZU2YinRpDmbAnEF/VI6lQcsHA8lIIV+j4stpyJ48CL0XEmtARnpkFKe3OaCiuiK5Aa2bTzYCkAdC3mejj+NQz9O0zlo9yDic/Tur+/oEXqQItRlkDeLsxvL1rcUpHDbW+Glq3SwLvmo4b5meZkhCwWkLkCx7aDRbAn1uv+KvVY2cAn4bBg1oiJkc8T8Cc2xGWwDjblD9A/I3LH+f4tJrPVHwgGP9r9xCKOfUNweebQTZlSCpUVJzcDK19c5G25FxL94uWldFGZ+mraGP/EP9BSaQLp1rowSl9WcVbwvQbBm3GIY/xXoPY7XjyLcne95LgsknIGLLcc++6srH/H9vHw6/OST3RzmUT0laznsYNmSuGTtTq16Zx8enAoG9QwHDkdP/cRhVPCld0c7xJ7KYIV7jrUpDdAq+w5OuE6rLadRP1j3L9W46olP/LEYBCMT6iLmreubhnc9LlxuyL3N3u5ZnO8knuH9rydP1dgF3p7qINrMxqtLZ8FdvhKhX7YRxbnfqnjQEE+4HnQ8/tmNebb3s3EGvnZcF7daGpQaEVfOr44YKR8i0KP7seGs6SUaXX8Qubw1skdG24mH+7bCBqDmhXJkTi/LnPiLAr6/XNrn/M1Y5SkrgiPB5TVwDxtaA8bBp2xbRtEnFEJPWG7cByJpGqXe7Ji4zGHhOpdYnxkmoSYtusz315HPs1cRpDDrGaQTv/O7UqWvQpbFDZxG26ZT9/cD77EhdQKr9P7V8QHjr0JWTOyKc3D/KtzuRoBNLHPW+62Xutx5C431idwroUgrhH7nPKGeNsAwVwdNxacq3jngUNy/JOZ7T90OpNbmvWp3F0W5wIRR0Ka9ulWzb6sQz5QT4xAHTUas0yxUPFLfx6sRayUIOPw7OprOOqsGjIkuiL0o+HnS2WxU80j62FVeezF8j2sUgFnhCzXJn+RNU/ApeeOAL/FaYM81jm3/x0pT+7EpxK1ZrnImrjESeDbtzbepAAMJK+KiczMhfR0OzndAMwc1ka+2YRgSaSljyNBSGYrKt8tP7KwChKvF9fmDDjwyHQqRopS1AzSieD+2+LqlnqfhBYBXsGjEM3caF9CnPmNUmsYlBOReOKgG5DGm9dYBknqhD4sQh8M6PXTrEH0HipGaixta1pHQfHzfc7BxNgJsQsJqBzVxGafgNBA1v/t2pefE6qImu33smq8lelS/OLPn/6WEk4gR7xa/mCqSSKPL1rHwyjmZpqp78aOXL2GEbnxY2lJBzVmwQ4pm7WERdADkb+XTj4On9s1dkKrGOV1nTq9v1/uuTuLs4XzRwekJ3JqBPike4Qyy4Wd84M01D7OcxR1RFDifthrFMmlzg8hMaBPbIhnF6ELhBl1hddcOKS4/bugUp4PzSPeB1P/Wc4dG94BW7nXfmkLbZ47i+knXJFrYzu0Z/dsm9nSW6TQXbLuH61J0IXI8xNKPsYLvKSM+FRu3N71WEj/3Yt7+Dm80+VT5mhO7PM2UKtOOuaN455oG/QM0+dO9xpGvJAGPyI3QtUusuhdCKJFdU4pw618iERjmzIy2Nf+OTbKFSkJ2p0Xgax+T4SiRTSRqBUpg+7qkD1xtLklkBF1ImTsZqchi8noKJzQWHCn6dFkQzrlWkRFrOHoA1Ej+aml/TYeEnSv+BzUrXcs+v20IRrK0AzI6biHlTiFfg6MmamMzjfxvDYgR9ujE4GhJVNLok3/04NNUgYWAOul515WUROAQbVGI+Cajtx5I5X+w+3HTFJoLAE2WDJ1QTjFWkkKQqbGSleaQYBIpxdHB55stEw7gIDOVuQhPK1x1x4jpiZWnLPtXQg1TqeHHiu5sZtAKWWUdlJyL4D3YBOsGnA53WTKkZ0b4ItIep9q8lDeEmRMXw0LXN119U8+eQgGZk+LUok8IxUQtQ1VUU7T9toq9KGqADV0xjCH93ZlpDX0Bs/Jh+8CCdHg5yThz1ScjQ8Ns72rPRIM+VpemzsAKDxZa2ypscPOz9PY4OsfKjd/j5quzNTpJik2RGdxhIuew8TeBxEtPGS9xc76AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8ZJS4=";
final String payload = "U29tZVBheWxvYWQ=";
final String publicKey = "MIIFMjALBglghkgBZQMEAxEDggUhAKVRzhxw5evKuIugL7QL+efOGNV7RORMB23pFkkZ2HoHqbPzOhdIUWLEeY1wv2mN7zV7SVdrjaTbuaC5prFfALwVEowqaS+VIZQ4dJj/s7GfhE3dAnZdZv3aGokGduwdMqIZvqh5rSTFXHboFfA88Pzfi8Oq04N49TKvKZga+nQE1wXnKq9XCu5PleBy2jWPIrLuE53wj0WRTqgqma/jeIkHbdZJn3+doLwBy76jLhAFtDOjzXMu5PDKmavUIhuPwksJbwJ+PJWbStRFbCaeCcg5unvkDGqNy3XIqopX/lb+k7YaAAeTjQuJYP2hta0ig0cyIPx8mC2Cwn6uPE+1+OMMMFGdPsCK8EQa6DEkYWb83OYC3Le3GLfB2go0crzT9kBirBZXVZxxCKJemQFjISPuRza3P76zAr5LhrZzbfjehcytfTVfNMAl+EC2/c9Ksv19NYKR5r7JSdnSQTCghO40aRPIjMvTyyfCgMYj8jcVjFoqZJeIAMk8xf3LRFVCQxYV2seXZUvsQIXxo5gEYFGPFmARGJmnqxjoDGGkbBXAW5Q7HEuUG2w9cp8pW+K0u4F0jLyfE3GN/NrIsaBunq1jv2CJUglnf9AgRdGX454BUagB5Ksu5gFraKJ85o2GN/GPA0DynIg4KtM07YBt3U8J66iBXIuNV1/wpmI4I9zHKLUsUnBM6qbY0g6ozOx33XQ2LjBeWWGRA3n83pNjBb7JtYbQOW7PRGv7OmxPQk0ZGND6OBfdRAblLbiLdjKuhuB8KyxXrem2grRFXP1tsRwR9WCI0WNjUj0DbbDtmKiVhOxr0wNKM+5VziabRA1GEaM2Tdnx1vyAQRrLxTinjzDriW/EzbDg57pLQdwyYBBTrA3e3CNyZwo1TQSrYnjXiMzr/yqkYBaHquL7Q0acfwjnOPf532/MMbP8QJ7nyyoIxM7024u3AtnD0lH4vuUN79tCRWUANxTPYB4UfUl0YVmuxBXwTMjUpOmFNMDS3I8CZZQ5+z3dE9oGjEF1IE82/fsEOkNKNRRUNSif4uJ5CRdkBzJNijDRxXZ5hUv460xAbLmxO1DWoyduLnd5ur6/J5He52nFgUBgGB5PHKQfJR2a4JSkB40e9TuUWzdwddIqxkqO/hGHfL//dMqNGBlclAOYMHKTsalg780Uc6wBqL2dU/tSbHlsL2HU47CaAKuAv8q5VFsZ+niNR0s9mqpJX5QDLFJDfPJucClp6oP57LQZZGc6KcnS7azQ5ODWVuBsa4n63VpZVPdtWLGOoLNB1Qz6uvODlwuWRuO3dTNYxp3xSoFGwv67NiVorPATsetVsA6J0BFV48HQCA4SNwZ0r69KdNyEATDV4uXoaXZnNpe3drOZ8cwICzMRIks7QJUYnDXcW5s0dICKCScgChz8r2GiaYulWje1sAd2YikUJwgC9Gz11IxmvBhUh16ydr+KVRbcgzHvf1a09krdnCsnOtWi7fFsSDZG50myUIlsj8b6atEpzobfp1DrL7eHvCrZUroazsmyL9Y4R/gWsAgQ2K53vxzXch45xXzI/5fbcyHsXxe1I6dKs1bySassSlLuE9g3IkR3HFNyTD4OYapywiLn5uWx2rAHVey0JEE3KauNvAT3IMRkbuH6IFj+3lIz35/06agnbWyaCgZb3VlSck0NL0XCIuSj2T8WyFgf3V9RQCm3x7C+NriOu3JypE046Vl8jkMjJfj0x+XbLgfv+qzdZ7COGDclmYxst/o2yoc=";

Security.addProvider((Provider)Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider").getConstructor().newInstance());
final Provider provider = Security.getProvider("BC");

final String mlDsaSignatureAlgorithm = "ML-DSA";
final KeyFactory mlDsaKeyFactory = KeyFactory.getInstance(mlDsaSignatureAlgorithm, provider);
PublicKey mlDsaPublicKey = mlDsaKeyFactory.generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(publicKey)));

final Signature mlDsaSignature = Signature.getInstance(mlDsaSignatureAlgorithm, provider);
mlDsaSignature.initVerify(mlDsaPublicKey);
mlDsaSignature.update(Base64.getDecoder().decode(payload));
final boolean verified = mlDsaSignature.verify(Base64.getDecoder().decode(base64Signature));

System.out.println("verified: " + verified);
}
}