Start of changes for 17.0.15.0

PQC support with IBMJCECCA

IBM® Semeru for z/OS® provides post-quantum cryptography (PQC) support for Java™ applications through the National Institute of Standards and Technology (NIST) standardized algorithms Module Lattice - Key Encapsulation Mechanism (ML-KEM) and Module Lattice - Digital Signature Algorithm (ML-DSA).

ML-KEM and ML-DSA are NIST's first published post-quantum cryptography standards, they evolved from the CRYSTALS-Kyber and CRYSTALS-Dilithium algorithms. The NIST standard algorithms and the CRYSTALs algorithms are not interoperable.

ML-KEM

ML-KEM is a key encapsulation mechanism (KEM), whose security is based on the hardness of solving the learning-with-errors (LWE) problem over module lattices.

IBMJCECCA currently offers the following implementations:
  • ML-KEM 768
  • ML-KEM 1024
  • CRYSTALS-Kyber 1024 Round 2 (superseded by ML-KEM)

With ML-KEM, it is now possible to perform a quantum-safe hybrid key exchange scheme that combines the protection of traditional Elliptic Curve Cryptography (ECC) with the PQC ML-KEM algorithm. This hybrid key exchange scheme provides two layers of protection and can ensure that all key exchanges are protected from attacks by traditional and quantum computers.

Note: ML-KEM is the recommended key encapsulation mechanism over CRYSTALS-Kyber, given the NIST standardization and future compatibility.
ML-DSA

ML-DSA is a lattice-based digital signature scheme whose security is based on the hardness of finding short vectors in lattices.

IBMJCECCA currently offers the following implementations:
  • Pure ML-DSA (4,4)
  • Pure ML-DSA (6,5)
  • Pure ML-DSA (8,7)
  • Pre-Hash ML-DSA (4,4) with SHA-512
  • Pre-Hash ML-DSA (6,5) with SHA-512
  • Pre-Hash ML-DSA (8,7) with SHA-512
  • CRYSTALS-Dilithium (6,5) Round 2 (superseded by ML-DSA)
  • CRYSTALS-Dilithium (8,7) Round 2 (superseded by ML-DSA)
  • CRYSTALS-Dilithium (6,5) Round 3 (superseded by ML-DSA)
  • CRYSTALS-Dilithium (8,7) Round 3 (superseded by ML-DSA)

The strength of an ML-DSA key is represented by the size of its matrix of polynomials. For example, ML-DSA (6,5) has a matrix size of 6x5. The bigger the matrix size, the stronger the key. ML-DSA keys can only be used for digital signature generation and verification.

Note: ML-DSA is the recommended digital signature scheme over CRYSTALS-Dilithium, given the NIST standardization and future compatibility.
Prerequisites
The hardware and OS prerequisites for Semeru NIST PQC support are as follows:
  • IBM z16™ or z17 hardware.
  • Crypto Express8 with CCA release 8.4 or later licensed internal code (LIC).
  • z/OS 2.5 or 3.1 with ICSF APAR OA66395 PTF for ICSF HCR77D2 (2.5) is UJ97342, HCR77E0 (3.1) is UJ97339.
  • IBM Semeru Runtimes 17.0.15.0 and 21.0.7.0 or newer.
Migration to ML-KEM or ML-DSA
The following tables provide the recommended mapping of algorithms for migration to the NIST standard. While the NIST standard algorithms were derived from the respective CRYSTALS-* algorithms, the two sets of algorithms are not interoperable. Keys are specific to the algorithms and might need to be regenerated. Additional migration steps might be required.
Table 1. Recommended mapping of NIST algorithms from CRYSTALS-Kyber
CRYSTALS-Kyber ML-KEM
CRYSTALS-Kyber 1024 Round 2 ML-KEM 1024
Table 2. Recommended mapping of NIST algorithms from CRYSTALS-Dilithium
CRYSTALS-Dilithium ML-DSA
CRYSTALS-Dilithium (6,5) Round 3 Pure ML-DSA (6,5)
CRYSTALS-Dilithium (8,7) Round 3 Pure ML-DSA (8,7)
Note: IBM continues to support the CRYSTALS-* algorithms until otherwise stated.
End of changes for 17.0.15.0