Architecture playbook: crypto-agility for the post-quantum era. Learn more

Algorithm support

The Antrapol JCE provider registers a standard Java Security Provider named "Antrapol" and exposes crypto-agile, policy-selectable algorithms through the ordinary JCE service types — Signature, KeyPairGenerator, KeyFactory, KeyStore, MessageDigest and Cipher. The tables below list every algorithm string the provider registers today, grouped by JCE service.

Antrapol never implements the raw cryptography itself: it delegates execution to underlying providers (BouncyCastle, the KAZ provider, SunRsaSign, SunEC, SunJCE) in configured order, and packages outputs into the crypto-agile ciphagile envelope. Which algorithm runs can come from the caller or from policy bound to a business purpose — so you can migrate classical → post-quantum without rewriting caller code.

Signatures

Requested through Signature.getInstance(name, "Antrapol"). Post-quantum ML-DSA and SLH-DSA align with the finalized NIST PQC standards FIPS 204 and FIPS 205. KAZ-SIGN is a sovereign (Malaysian) option offered alongside the NIST algorithms — it is not a NIST standard, and crypto-agility lets the choice be swapped by policy at any time.

Post-quantum signature algorithms
AlgorithmTypeNotes
ML-DSA-44PQC · latticeNIST FIPS 204 (ML-DSA). Strength-based init via KeyPairGenerator.ML-DSA.
ML-DSA-65PQC · latticeNIST FIPS 204 (ML-DSA). Recommended default balance of size vs. security.
ML-DSA-87PQC · latticeNIST FIPS 204 (ML-DSA). Highest ML-DSA parameter set.
SLH-DSA-128PQC · hash-basedNIST FIPS 205 (SLH-DSA). Base name; 12 SHA2/SHAKE {s|f} variants registered as aliases.
SLH-DSA-192PQC · hash-basedNIST FIPS 205 (SLH-DSA). Full variant preserved in envelope metadata.
SLH-DSA-256PQC · hash-basedNIST FIPS 205 (SLH-DSA). e.g. SLH-DSA-SHAKE-256f via the policy-driven path.
KAZ-SIGN-128PQC · sovereignSovereign (Malaysian) option — not a NIST standard. Policy-selectable alongside the NIST algorithms.
KAZ-SIGN-192PQC · sovereignSovereign (Malaysian) option — not a NIST standard. Delegates under base KAZ-SIGN.
KAZ-SIGN-256PQC · sovereignSovereign (Malaysian) option — not a NIST standard. Variant preserved in envelope metadata.
Classical signature algorithms (RSA / ECDSA, incl. SHA-3)
AlgorithmTypeNotes
SHA256withRSAClassical · RSAWeak-digest requests (MD5/SHA-1/SHA-224/SHA-256) are upgraded to SHA384withRSA by compliance normalization.
SHA384withRSAClassical · RSARSA keygen rejects key sizes ≤ 1024 bits.
SHA512withRSAClassical · RSADelegated to SunRsaSign / BouncyCastle.
SHA3-256withRSAClassical · RSASHA-3 digest names keep the hyphen.
SHA3-384withRSAClassical · RSASHA-3 signature variant.
SHA3-512withRSAClassical · RSASHA-3 signature variant.
SHA256withECDSAClassical · ECDSAUpgraded to SHA384withECDSA for EC requests by compliance normalization.
SHA384withECDSAClassical · ECDSADelegated to SunEC / BouncyCastle.
SHA512withECDSAClassical · ECDSAElliptic-curve signature.
SHA3-256withECDSAClassical · ECDSASHA-3 signature variant.
SHA3-384withECDSAClassical · ECDSASHA-3 signature variant.
SHA3-512withECDSAClassical · ECDSASHA-3 signature variant.
AntrapolAuto / virtualVerify: auto-detects the algorithm from the signature envelope. Sign: resolves the algorithm from a bound PurposeContext via policy.

Key encapsulation (KEM)

ML-KEM is exposed through Cipher.getInstance("ML-KEM", "Antrapol"), supporting both WRAP/UNWRAP and encapsulate/decapsulate (KEM-only) conventions. Key pairs are generated with KeyPairGenerator.ML-KEM using strength-based init (default 768).

Key-encapsulation mechanisms
AlgorithmTypeNotes
ML-KEM-512PQC · lattice KEMNIST FIPS 203 (ML-KEM). Strength 512.
ML-KEM-768PQC · lattice KEMNIST FIPS 203 (ML-KEM). Default strength.
ML-KEM-1024PQC · lattice KEMNIST FIPS 203 (ML-KEM). Highest ML-KEM parameter set.

Message digests

Requested through MessageDigest.getInstance(name, "Antrapol"). Weak digests (MD5 / SHA-1 / SHA-224) are upgraded to SHA-256; SHA-256/384/512 and the SHA-3 variants pass through unchanged.

Message-digest algorithms
AlgorithmTypeNotes
SHA-256SHA-2Passes through compliance normalization.
SHA-384SHA-2Passes through compliance normalization.
SHA-512SHA-2Passes through compliance normalization.
SHA3-256SHA-3SHA-3 family.
SHA3-384SHA-3SHA-3 family.
SHA3-512SHA-3SHA-3 family.
AntrapolAuto / virtualAuto-detection: parses a DIGEST envelope and returns the embedded digest bytes (initFromEnvelope).

Ciphers

Symmetric ciphers and the ML-KEM key-wrap/encapsulation path are exposed through Cipher.getInstance(name, "Antrapol"). AES/GCM envelopes package the IV, AAD and auth tag alongside the ciphertext.

Cipher transformations
TransformationTypeNotes
AESSymmetricDefault AES cipher; keys via KeyGenerator.AES.
AES/GCM/NoPaddingSymmetric · AEADAuthenticated encryption; IV/AAD/auth-tag packaged in the agility envelope.
AES/CBC/PKCS5PaddingSymmetricBlock cipher with PKCS#5 padding.
ML-KEMPQC · KEM (wrap/encapsulate)NIST FIPS 203. WRAP/UNWRAP a session key, or encapsulate/decapsulate a shared secret (context tag 0x0B).
AntrapolAuto / virtualDecrypt-only auto mode: reads algorithm metadata from the cipher envelope and routes KEM envelopes to decapsulation.

KeyPairGenerator & KeyFactory

The same algorithm set is registered for both KeyPairGenerator and KeyFactory. Generated keys are returned as wrapped keys carrying both the concrete delegate key and the agility-encoded bytes; unwrap first if your code needs the concrete JCE key type.

KeyPairGenerator / KeyFactory algorithms
AlgorithmTypeNotes
RSAClassicalVariant-encoded as RSA-2048/3072/4096. Key sizes ≤ 1024 rejected.
ECClassicalVariant-encoded as EC-secp256r1/384r1/521r1.
ML-DSAPQC · signatureNIST FIPS 204. Strength-based init (44/65/87).
SLH-DSAPQC · signatureNIST FIPS 205. Full 12-variant coverage via the policy-driven path.
ML-KEMPQC · KEMNIST FIPS 203. Strength-based init (512/768/1024).
KAZ-SIGNPQC · sovereign signatureSovereign (Malaysian) option — not a NIST standard. Variants 128/192/256.

KeyStore

KeyStore types
TypeNotes
PEMStores and reloads key entries as PEM blocks. Certificate entries are intentionally unsupported.

Standards & accuracy notes

  • FIPS 203 / 204 / 205 are the NIST post-quantum cryptography standards finalized in August 2024 — ML-KEM, ML-DSA and SLH-DSA respectively. MyPQC implements the FIPS algorithms via its delegate providers. This is an algorithm-conformance statement only and does not assert FIPS 140 module validation.
  • KAZ-SIGN (128 / 192 / 256) is a sovereign (Malaysian) algorithm offered alongside the NIST standards. It is not a NIST standard and carries no NIST approval or FIPS status. Because algorithm choice is policy-selectable, KAZ-SIGN can be enabled, disabled or swapped for a NIST algorithm at any time without changing caller code.
  • Weak algorithms are upgraded automatically by compliance normalization: MD5 / SHA-1 / SHA-224 (and SHA-256 for signatures) become SHA-384 signature variants, weak digests become SHA-256, and RSA key sizes ≤ 1024 bits are rejected.

For installation, configuration and end-to-end usage examples, head back to the Antrapol JCE SDK reference.