Bug ID: JDK-8310572 Support CNSA 2.0

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 26
26Unresolved

CNSA 2.0 is announced in Sept 2022 and updated in Dec 2024: https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/1/CSI_CNSA_2.0_FAQ_.PDF

We should check and try to support the new PQC algorithms as well as making necessary adjustments accordingly. See Table IV: CNSA 2.0 algorithms under Appendix for the list of algorithms.

According to https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/sS47RFCdJ74/m/WzM0pPcOBQAJ:
- Listing the NIST standards documents that define CNSA 2.0 suite of algorithms and updated timelines for transitions
- Clarification on which NIST signatures from the recent standards are allowed for use in NSS
- Allowance of additional options in internal hardware checks, such as boot-up integrity checks
- Added context on our views on hybrid systems

As of JDK 25, all general purpose algorithms in CNSA 2.0 are supported. For the "allowed for specific applications" algorithms, LMS signature verification and SHA3 message digests are supported, i.e. missing XMSS Signature and LMS signature generation.
15-05-2025
CNSA 2.0 alogirthms (updated) o AES Cipher (use 256-bit keys), see https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf o ML-KEM Key Establishment (use ML-KEM-1024) see https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf o ML-DSA Signature (use ML-DSA-87) see https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf o SHA MessageDigest (use SHA-384 or SHA-512) see https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf In addition, the following algorithms are allowed for specific applications: o LMS Signature (all parameters, SHA-256/192 recommended), see https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf o XMSS Signature (all parameters), see https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf o SHA3 MessageDigest (SHA3-384 or SHA3-512 allowed for internal hardware functionality only, say boot-up integrity checks) see https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf
15-05-2025
CNSA 2.0 alogirthms: AES (256-bit), CRYSTALS-Kyber (level V parameters), CRYSTALS-Dilithium (level V parameters), SHA (384 or 512), LMS (all parameters, SHA-256/192 preferred), XMSS (all parameters)
29-11-2023
Here is the timing info documented in CNSA 2.0: NSA anticipates the following timetable for implementing other CNSA 2.0 requirements for NSS:  Software and firmware signing: begin transitioning immediately, support and prefer CNSA 2.0 by 2025, and exclusively use CNSA 2.0 by 2030.  Web browsers/servers and cloud services: support and prefer CNSA 2.0 by 2025, and exclusively1 use CNSA 2.0 by 2033.  Traditional networking equipment (e.g., virtual private networks, routers): support and prefer CNSA 2.0 by 2026, and exclusively use CNSA 2.0 by 2030.  Operating systems: support and prefer CNSA 2.0 by 2027, and exclusively use CNSA 2.0 by 2033.  Niche equipment (e.g., constrained devices, large public-key infrastructure systems): support and prefer CNSA 2.0 by 2030, and exclusively use CNSA 2.0 by 2033.  Custom applications and legacy equipment: update or replace by 2033.
29-11-2023
RFE for CNSA 1.0: JDK-8267319 just FYI
21-06-2023

Blocks :	JDK-8298127 - HSS/LMS Signature Verification
Blocks :	JDK-8298390 - Implement JEP 496: Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism
Blocks :	JDK-8298387 - Implement JEP 497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm
Relates :	JDK-8291566 - Post-Quantum Cryptographic Algorithms