R&D on Quantum-Resistant Cryptography Adoption in Key Manager

[Varaniya201]

Title:
Research and prototype integration of quantum-safe crypto algorithms (Kyber, Dilithium, SPHINCS+) in Key Manager

As a security architect or cryptography engineer I want to conduct R&D to evaluate and prototype the adoption of quantum-safe cryptographic algorithms — Kyber, Dilithium , and SPHINCS within the Key Manager component So that our system can be prepared for post-quantum security and ensure long-term cryptographic resilience against quantum attacks.

Description
This R&D aims to explore the integration of post-quantum cryptographic (PQC) algorithms (Kyber, Dilithium, SPHINCS+) into the existing Key Manager service. The effort includes identifying available libraries, assessing compatibility with the Java 21 tech stack, and designing a prototype implementation.

Key outcomes expected include:

• Comparative analysis of at least two Java-compatible PQC libraries (license, maturity, performance, native deps).
• Working Java 21 prototypes for Kyber, Dilithium and SPHINCS+ demonstrating key lifecycle + crypto operations.
• HSM support plan and prototype integration
• Integration using PKCS#11 or Java JCE provider interfaces.
• Performance benchmarks (key sizes, generation, sign/verify, encrypt/decrypt timings) and memory/CPU observations.
• Security / compliance assessment
• Documents: R&D summary, technical design for integration into Key Manager, and an upgrade/migration guide.

Acceptance Criteria

1. Library Evaluation
   Identify and document at least two stable Java-compatible PQC libraries (e.g., BouncyCastle PQC, OpenQuantumSafe bindings, LibOQS-JNI).
   Evaluate license, performance, and implementation maturity for each.
2. Algorithm Coverage
   Demonstrate basic use of:
   - Kyber
   - Dilithium
   - SPHINCS+
   Each demo must include sample inputs and expected outputs.
3. Prototype Implementation
   • Implement Java 21 prototypes (non-production sandbox) inside a Key Manager test module for:
     - Key generation.
     - Secure storage and retrieval (in-memory and simulated persistent store).
     - Sign and verify (Dilithium, SPHINCS+).
     - Encrypt / decrypt or KEM flows (Kyber).
4. Integration Feasibility
   - Produce a technical integration plan showing:
   - How PQC primitives map to existing Key Manager interfaces (KeyPairGenerator, Signature-like APIs, Cipher/KEM-like APIs).
   - JCE provider integration strategy (wrap PQC libs as a JCE provider or use existing providers).
   - PKCS#11 / HSM interaction approach and required vendor considerations.
   - Provide performance benchmark table (key sizes, generation time, sign/verify/encrypt/decrypt latency, memory footprint) with comparison to RSA/ECC equivalents.
5. HSM & JCE/PKCS#11 Support
   - Demonstrate or provide a clear prototype path to enable HSM support:
   - Show how to expose PQC keys via PKCS#11 slots assuming HSM vendor support and document required PKCS#11 extensions or limitations.
   - Provide JCE integration plan so existing Key Manager APIs (keyGen, encrypt/decrypt, sign/verify) continue to work with PQC keys with minimal changes.
   - Identify and document any native/JNI dependencies and fallback (software) implementations when HSM lacks PQC support.
6. Security & Compliance
   - Provide NIST PQC standardization assessment — indicate how chosen parameter sets align with NIST recommendations as of the R&D date.
   - Document key sizes, expected security levels and cryptographic assumptions.
   - Identify any third-party dependencies with security risk (e.g., native libs, JNI) and mitigation.
7. Deliverable
   - Submit R&D summarizing findings,
   - Prototype artifacts (code, build instructions, tests).
   - Technical design document for production integration.
   - Upgrade/migration document covering steps to adopt PQC in Key Manager and HSM considerations.

Tasks

1. Research Phase
   • Review NIST PQC outcomes and relevant publications for Kyber/Dilithium/SPHINCS+.
   • Identify Java 21 compatible PQC libraries and bindings (list ≥2).
   • Create evaluation matrix (license, maturity, JNI/native, API surface).
2. Environment Setup
   • Create isolated Key Manager sandbox project (Java 21).
   • Add build scripts (Maven/Gradle) to import PQC libraries and test harness.
   • Prepare test vectors and example messages.
3. Prototype Development
   • Implement Kyber KEM flows (keygen, encapsulate/decapsulate) in sandbox.
   • Implement Dilithium.
   • Implement SPHINCS+.
   • Integrate basic key lifecycle (generate, store, retrieve) using existing Key Manager abstractions.
4. JCE / PKCS#11 / HSM Integration
   • Design and implement a JCE adapter or provider wrapper for the chosen PQC library.
   • Build a PKCS#11 shim/proxy or use a simulated PKCS#11 provider for testing.
   • Attempt HSM vendor integration checklist: vendor PQC support, PKCS#11 extensions, firmware constraints.
5. Documentation
   • Produce technical design doc: API changes (if any), JCE provider plan, PKCS#11/HSM integration notes, migration strategy.
   • Produce upgrade document with step-by-step instructions to bring PQC into production, including fallback paths and dual-stack migration (PQ+classical hybrid signatures/encryption).

[lsivanand]

@harshkasyap we can also use this for captuting active progress ..