Architecture playbook: crypto-agility for the post-quantum era. Learn more

Developers

MyPQC developer
documentation.

Build quantum-safe, crypto-agile applications with the Antrapol JCE provider — a drop-in Java Cryptography Extension that keeps the standard Signature, KeyPairGenerator and Cipher APIs you already know, while algorithm choice and packaging become policy-driven.

Java 17 · ML-KEM · ML-DSA · SLH-DSA · KAZ-SIGN · classical RSA / ECDSA / AES

Overview

What is the Antrapol JCE provider?

Antrapol is a policy-driven, crypto-agility JCE provider wrapper. It registers a standard Java Security Provider named "Antrapol" and preserves normal JCE caller semantics while doing three things underneath.

Delegates the real crypto

Actual cryptographic execution is delegated to underlying providers — BouncyCastle, the KAZ provider, SunRsaSign, SunEC and SunJCE — loaded dynamically from configured JAR paths.

Packages outputs into an agility envelope

In the default AGILITY output mode, bytes are wrapped with algorithm and variant metadata so they can be decoded and verified later — even after your organization's default algorithm has changed.

Resolves algorithms from policy

A business purpose and operation can be bound to a thread, and a policy resolver decides the effective algorithm, key size or curve, and signing digest.

The net effect: caller-facing code stays familiar, while which algorithm runs and how the bytes are represented become policy-driven — including a migration path to post-quantum (ML-DSA, SLH-DSA, ML-KEM, and the sovereign KAZ-SIGN) without rewriting application code.

QuantumSafeSignature.java
import java.security.*;
import java.nio.charset.StandardCharsets;
import com.antrapol.jce.Antrapol;

// 1. Register the "Antrapol" provider at position 1
Antrapol.install();

// 2. Generate a post-quantum ML-DSA-65 key pair (FIPS 204)
KeyPairGenerator kpg =
    KeyPairGenerator.getInstance("ML-DSA", "Antrapol");
kpg.initialize(65);
KeyPair kp = kpg.generateKeyPair();

// 3. Sign with the standard JCE Signature API
Signature signer = Signature.getInstance("ML-DSA-65", "Antrapol");
signer.initSign(kp.getPrivate());
signer.update("payload".getBytes(StandardCharsets.US_ASCII));
byte[] sig = signer.sign(); // AGILITY envelope by default

// 4. Verify with the auto signer — algorithm read from the envelope
Signature verifier = Signature.getInstance("Antrapol", "Antrapol");
verifier.initVerify(kp.getPublic());
verifier.update("payload".getBytes(StandardCharsets.US_ASCII));
boolean ok = verifier.verify(sig);

The same shape works for KAZ-SIGN-128/192/256 and SLH-DSA-128/192/256 — just change the algorithm name.

Crypto-agility

Change the algorithm by policy, not by pull request

KAZ-SIGN and KAZ-KEM are optional, policy-selectable sovereign Malaysian algorithms offered alongside the NIST PQC standards. Because choice is decoupled from caller code, the effective algorithm can be swapped centrally at any time.

NIST-aligned PQC

Implements the ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) algorithms via the delegate providers.

Sovereign options

KAZ-SIGN is offered as an optional, policy-selectable sovereign algorithm alongside the NIST standards — never a replacement for them.

Compliance hygiene

Weak digests (MD5, SHA-1, SHA-224) are upgraded automatically, and RSA key sizes of 1024 bits or less are rejected.

Ready to build quantum-safe?

Get platform access, delegate provider JARs and a policy-service endpoint for your team.