PQC support with IBMJCECCA
IBM® Semeru for z/OS® provides post-quantum cryptography (PQC) support for Java™ applications through the National Institute of Standards and Technology (NIST) standardized algorithms Module Lattice-Based Key Encapsulation Mechanism (ML-KEM) and Module Lattice-Based Digital Signature Algorithm (ML-DSA).
ML-KEM and ML-DSA are NIST's first published post-quantum cryptography standards.
- ML-KEM
-
ML-KEM is a key encapsulation mechanism (KEM), whose security is based on the hardness of solving the learning-with-errors (LWE) problem over module lattices.
IBMJCECCA currently offers the following implementations:- ML-KEM 768
- ML-KEM 1024
- ML-DSA
-
ML-DSA is a lattice-based digital signature scheme whose security is based on the hardness of finding short vectors in lattices.
IBMJCECCA currently offers the following implementations:- Pure ML-DSA (4,4)
- Pure ML-DSA (6,5)
- Pure ML-DSA (8,7)
- Pre-Hash ML-DSA (4,4) with SHA-512
- Pre-Hash ML-DSA (6,5) with SHA-512
- Pre-Hash ML-DSA (8,7) with SHA-512
The strength of an ML-DSA key is represented by the size of its matrix of polynomials. For example, ML-DSA (6,5) has a matrix size of 6x5. The bigger the matrix size, the stronger the key. ML-DSA keys can only be used for digital signature generation and verification.
- Prerequisites
- The hardware and OS prerequisites for Semeru NIST PQC support are as follows:
- IBM z16® or z17 hardware.
- Crypto Express8 with CCA release 8.4 or later licensed internal code (LIC).
- z/OS 2.5 or 3.1 with ICSF APAR OA66395 PTF for ICSF HCR77D2 (2.5) is UJ97342, HCR77E0 (3.1) is UJ97339.
- IBM Semeru Runtimes 17.0.15.0 and 21.0.7.0 or newer.