JDK-8347938 : Add Support for the Latest ML-KEM and ML-DSA Private Key Encodings
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 25
  • Priority: P2
  • Status: Open
  • Resolution: Unresolved
  • Submitted: 2025-01-16
  • Updated: 2025-12-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 26
26Unresolved
Related Reports
Blocks :  
JDK-8339010 - JEP 497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm
Blocks :  
JDK-8339009 - JEP 496: Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism
CSR :  
JDK-8349163 - Add Support for the Latest ML-KEM and ML-DSA Private Key Encodings
Duplicate :  
JDK-8347941 - Switch to latest ML-DSA private key encoding
Description
When ML-KEM and ML-DSA were introduced in JDK 24, the RFCs defining private key encodings for these algorithms had not been published yet. The drafts at the time, draft-ietf-lamps-kyber-certificates and draft-ietf-lamps-dilithium-certificates, described the private key only as β€œan opaque byte sequence,” without specifying a concrete format.

Based on that, the JDK 24 implementation adopted the encodings defined in NIST FIPS 203 and 204 β€” specifically, using the private key output from the ML-KEM.KeyGen function (Section 7.1 of FIPS 203), and the ML-DSA.KeyGen function (Section 5.1 of FIPS 204).

Now that RFC XXX (ML-KEM) and RFC 9881 (ML-DSA) have been published, their private key formats are formally defined as DER-encoded ASN.1 CHOICE types. For example, for ML-KEM-512:

	ML-KEM-512-PrivateKey ::= CHOICE {
		seed [0] OCTET STRING (SIZE (64)),
		expandedKey OCTET STRING (SIZE (1632)),
		both SEQUENCE {
	  		seed OCTET STRING (SIZE (64)),
	  		expandedKey OCTET STRING (SIZE (1632))
	  	}
	}

Similar structures are defined for ML-KEM-768, ML-KEM-1024, ML-DSA-44, ML-DSA-65, and ML-DSA-87.

The JDK 24 implementation currently uses the second option, `expandedKey OCTET STRING`. To comply with the final RFCs, we need to update our implementation to support the other two CHOICEs as well.
Comments
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/24969 Date: 2025-04-30 15:43:31 +0000
30-04-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/23376 Date: 2025-01-30 22:00:07 +0000
30-01-2025