Developers
MyPQC developer
documentation.
Build quantum-safe, crypto-agile applications with the Antrapol JCE provider — a drop-in
Java Cryptography Extension that keeps the standard Signature,
KeyPairGenerator
and Cipher
APIs you already know, while algorithm choice and packaging become policy-driven.
Java 17 · ML-KEM · ML-DSA · SLH-DSA · KAZ-SIGN · classical RSA / ECDSA / AES
Start here
Everything you need to integrate
Install the provider, sign your first payload, and understand how policy-driven agility swaps algorithms without touching caller code.
Antrapol JCE SDK — Getting started
Prerequisites, Antrapol.install(), and your first quantum-safe signature end to end.
Learn moreAlgorithm support
The full service coverage: signatures, KEM, digests, symmetric ciphers, key generators and variant naming.
Learn moreCrypto-agility concepts
The ciphagile envelope, RAW vs AGILITY output modes, wrapped keys and how callers stay decoupled from algorithms.
Learn morePolicy-driven resolution
Bind a business purpose to a thread and let a policy resolver decide the effective algorithm, key variant and signing digest.
Learn moreOverview
What is the Antrapol JCE provider?
Antrapol is a policy-driven, crypto-agility JCE provider wrapper. It registers a standard
Java Security Provider
named "Antrapol"
and preserves normal JCE caller semantics while doing three things underneath.
Delegates the real crypto
Actual cryptographic execution is delegated to underlying providers — BouncyCastle, the KAZ provider, SunRsaSign, SunEC and SunJCE — loaded dynamically from configured JAR paths.
Packages outputs into an agility envelope
In the default AGILITY output mode, bytes are wrapped with algorithm and variant metadata so they can be decoded and verified later — even after your organization's default algorithm has changed.
Resolves algorithms from policy
A business purpose and operation can be bound to a thread, and a policy resolver decides the effective algorithm, key size or curve, and signing digest.
The net effect: caller-facing code stays familiar, while which algorithm runs and how the bytes are represented become policy-driven — including a migration path to post-quantum (ML-DSA, SLH-DSA, ML-KEM, and the sovereign KAZ-SIGN) without rewriting application code.
import java.security.*;
import java.nio.charset.StandardCharsets;
import com.antrapol.jce.Antrapol;
// 1. Register the "Antrapol" provider at position 1
Antrapol.install();
// 2. Generate a post-quantum ML-DSA-65 key pair (FIPS 204)
KeyPairGenerator kpg =
KeyPairGenerator.getInstance("ML-DSA", "Antrapol");
kpg.initialize(65);
KeyPair kp = kpg.generateKeyPair();
// 3. Sign with the standard JCE Signature API
Signature signer = Signature.getInstance("ML-DSA-65", "Antrapol");
signer.initSign(kp.getPrivate());
signer.update("payload".getBytes(StandardCharsets.US_ASCII));
byte[] sig = signer.sign(); // AGILITY envelope by default
// 4. Verify with the auto signer — algorithm read from the envelope
Signature verifier = Signature.getInstance("Antrapol", "Antrapol");
verifier.initVerify(kp.getPublic());
verifier.update("payload".getBytes(StandardCharsets.US_ASCII));
boolean ok = verifier.verify(sig);
The same shape works for KAZ-SIGN-128/192/256 and SLH-DSA-128/192/256 — just change the algorithm name.
Crypto-agility
Change the algorithm by policy, not by pull request
KAZ-SIGN and KAZ-KEM are optional, policy-selectable sovereign Malaysian algorithms offered alongside the NIST PQC standards. Because choice is decoupled from caller code, the effective algorithm can be swapped centrally at any time.
NIST-aligned PQC
Implements the ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) algorithms via the delegate providers.
Sovereign options
KAZ-SIGN is offered as an optional, policy-selectable sovereign algorithm alongside the NIST standards — never a replacement for them.
Compliance hygiene
Weak digests (MD5, SHA-1, SHA-224) are upgraded automatically, and RSA key sizes of 1024 bits or less are rejected.
Ready to build quantum-safe?
Get platform access, delegate provider JARs and a policy-service endpoint for your team.