Algorithm support
The Antrapol JCE provider registers a standard Java Security
Provider named "Antrapol" and exposes crypto-agile, policy-selectable
algorithms through the ordinary JCE service types — Signature,
KeyPairGenerator, KeyFactory, KeyStore,
MessageDigest and Cipher. The tables below list every algorithm string
the provider registers today, grouped by JCE service.
Antrapol never implements the raw cryptography itself: it delegates execution to underlying
providers (BouncyCastle, the KAZ provider, SunRsaSign, SunEC,
SunJCE) in configured order, and packages outputs into the crypto-agile
ciphagile envelope. Which algorithm runs can come from the caller or from
policy bound to a business purpose — so you can migrate classical → post-quantum without
rewriting caller code.
Signatures
Requested through Signature.getInstance(name, "Antrapol"). Post-quantum
ML-DSA and SLH-DSA align with the finalized NIST PQC standards
FIPS 204 and FIPS 205. KAZ-SIGN is a sovereign (Malaysian) option offered
alongside the NIST algorithms — it is not a NIST standard, and crypto-agility lets the
choice be swapped by policy at any time.
| Algorithm | Type | Notes |
|---|---|---|
| ML-DSA-44 | PQC · lattice | NIST FIPS 204 (ML-DSA). Strength-based init via KeyPairGenerator.ML-DSA. |
| ML-DSA-65 | PQC · lattice | NIST FIPS 204 (ML-DSA). Recommended default balance of size vs. security. |
| ML-DSA-87 | PQC · lattice | NIST FIPS 204 (ML-DSA). Highest ML-DSA parameter set. |
| SLH-DSA-128 | PQC · hash-based | NIST FIPS 205 (SLH-DSA). Base name; 12 SHA2/SHAKE {s|f} variants registered as aliases. |
| SLH-DSA-192 | PQC · hash-based | NIST FIPS 205 (SLH-DSA). Full variant preserved in envelope metadata. |
| SLH-DSA-256 | PQC · hash-based | NIST FIPS 205 (SLH-DSA). e.g. SLH-DSA-SHAKE-256f via the policy-driven path. |
| KAZ-SIGN-128 | PQC · sovereign | Sovereign (Malaysian) option — not a NIST standard. Policy-selectable alongside the NIST algorithms. |
| KAZ-SIGN-192 | PQC · sovereign | Sovereign (Malaysian) option — not a NIST standard. Delegates under base KAZ-SIGN. |
| KAZ-SIGN-256 | PQC · sovereign | Sovereign (Malaysian) option — not a NIST standard. Variant preserved in envelope metadata. |
| Algorithm | Type | Notes |
|---|---|---|
| SHA256withRSA | Classical · RSA | Weak-digest requests (MD5/SHA-1/SHA-224/SHA-256) are upgraded to SHA384withRSA by compliance normalization. |
| SHA384withRSA | Classical · RSA | RSA keygen rejects key sizes ≤ 1024 bits. |
| SHA512withRSA | Classical · RSA | Delegated to SunRsaSign / BouncyCastle. |
| SHA3-256withRSA | Classical · RSA | SHA-3 digest names keep the hyphen. |
| SHA3-384withRSA | Classical · RSA | SHA-3 signature variant. |
| SHA3-512withRSA | Classical · RSA | SHA-3 signature variant. |
| SHA256withECDSA | Classical · ECDSA | Upgraded to SHA384withECDSA for EC requests by compliance normalization. |
| SHA384withECDSA | Classical · ECDSA | Delegated to SunEC / BouncyCastle. |
| SHA512withECDSA | Classical · ECDSA | Elliptic-curve signature. |
| SHA3-256withECDSA | Classical · ECDSA | SHA-3 signature variant. |
| SHA3-384withECDSA | Classical · ECDSA | SHA-3 signature variant. |
| SHA3-512withECDSA | Classical · ECDSA | SHA-3 signature variant. |
| Antrapol | Auto / virtual | Verify: auto-detects the algorithm from the signature envelope. Sign: resolves the algorithm from a bound PurposeContext via policy. |
Key encapsulation (KEM)
ML-KEM is exposed through Cipher.getInstance("ML-KEM", "Antrapol"), supporting both
WRAP/UNWRAP and encapsulate/decapsulate (KEM-only) conventions. Key pairs are generated with
KeyPairGenerator.ML-KEM using strength-based init (default 768).
| Algorithm | Type | Notes |
|---|---|---|
| ML-KEM-512 | PQC · lattice KEM | NIST FIPS 203 (ML-KEM). Strength 512. |
| ML-KEM-768 | PQC · lattice KEM | NIST FIPS 203 (ML-KEM). Default strength. |
| ML-KEM-1024 | PQC · lattice KEM | NIST FIPS 203 (ML-KEM). Highest ML-KEM parameter set. |
Message digests
Requested through MessageDigest.getInstance(name, "Antrapol"). Weak digests
(MD5 / SHA-1 / SHA-224) are upgraded to SHA-256; SHA-256/384/512 and the SHA-3 variants pass
through unchanged.
| Algorithm | Type | Notes |
|---|---|---|
| SHA-256 | SHA-2 | Passes through compliance normalization. |
| SHA-384 | SHA-2 | Passes through compliance normalization. |
| SHA-512 | SHA-2 | Passes through compliance normalization. |
| SHA3-256 | SHA-3 | SHA-3 family. |
| SHA3-384 | SHA-3 | SHA-3 family. |
| SHA3-512 | SHA-3 | SHA-3 family. |
| Antrapol | Auto / virtual | Auto-detection: parses a DIGEST envelope and returns the embedded digest bytes (initFromEnvelope). |
Ciphers
Symmetric ciphers and the ML-KEM key-wrap/encapsulation path are exposed through
Cipher.getInstance(name, "Antrapol"). AES/GCM envelopes package the IV, AAD and
auth tag alongside the ciphertext.
| Transformation | Type | Notes |
|---|---|---|
| AES | Symmetric | Default AES cipher; keys via KeyGenerator.AES. |
| AES/GCM/NoPadding | Symmetric · AEAD | Authenticated encryption; IV/AAD/auth-tag packaged in the agility envelope. |
| AES/CBC/PKCS5Padding | Symmetric | Block cipher with PKCS#5 padding. |
| ML-KEM | PQC · KEM (wrap/encapsulate) | NIST FIPS 203. WRAP/UNWRAP a session key, or encapsulate/decapsulate a shared secret (context tag 0x0B). |
| Antrapol | Auto / virtual | Decrypt-only auto mode: reads algorithm metadata from the cipher envelope and routes KEM envelopes to decapsulation. |
KeyPairGenerator & KeyFactory
The same algorithm set is registered for both KeyPairGenerator and
KeyFactory. Generated keys are returned as wrapped keys carrying both the concrete
delegate key and the agility-encoded bytes; unwrap first if your code needs the concrete JCE
key type.
| Algorithm | Type | Notes |
|---|---|---|
| RSA | Classical | Variant-encoded as RSA-2048/3072/4096. Key sizes ≤ 1024 rejected. |
| EC | Classical | Variant-encoded as EC-secp256r1/384r1/521r1. |
| ML-DSA | PQC · signature | NIST FIPS 204. Strength-based init (44/65/87). |
| SLH-DSA | PQC · signature | NIST FIPS 205. Full 12-variant coverage via the policy-driven path. |
| ML-KEM | PQC · KEM | NIST FIPS 203. Strength-based init (512/768/1024). |
| KAZ-SIGN | PQC · sovereign signature | Sovereign (Malaysian) option — not a NIST standard. Variants 128/192/256. |
KeyStore
| Type | Notes |
|---|---|
| PEM | Stores and reloads key entries as PEM blocks. Certificate entries are intentionally unsupported. |
Standards & accuracy notes
- FIPS 203 / 204 / 205 are the NIST post-quantum cryptography standards finalized in August 2024 — ML-KEM, ML-DSA and SLH-DSA respectively. MyPQC implements the FIPS algorithms via its delegate providers. This is an algorithm-conformance statement only and does not assert FIPS 140 module validation.
- KAZ-SIGN (128 / 192 / 256) is a sovereign (Malaysian) algorithm offered alongside the NIST standards. It is not a NIST standard and carries no NIST approval or FIPS status. Because algorithm choice is policy-selectable, KAZ-SIGN can be enabled, disabled or swapped for a NIST algorithm at any time without changing caller code.
- Weak algorithms are upgraded automatically by compliance normalization: MD5 / SHA-1 / SHA-224 (and SHA-256 for signatures) become SHA-384 signature variants, weak digests become SHA-256, and RSA key sizes ≤ 1024 bits are rejected.
For installation, configuration and end-to-end usage examples, head back to the Antrapol JCE SDK reference.