JEP 527: Post-Quantum Hybrid Key Exchange for TLS 1.3

OwnerJamil Nimeh
TypeFeature
ScopeSE
StatusCandidate
Componentsecurity-libs / javax.net.ssl
Discussionsecurity dash dev at openjdk dot org
EffortM
DurationM
Reviewed bySean Mullan
Created2025/06/03 19:46
Updated2025/09/30 17:07
Issue8358541

Summary

Enhance the security of Java applications that require secure network communication by implementing hybrid key exchange algorithms for TLS 1.3. Such algorithms defend against future quantum computing attacks by combining a quantum-resistant algorithm with a traditional algorithm. Applications that use the javax.net.ssl APIs will benefit from these improved algorithms by default, without change to existing code.

Non-Goals

Motivation

Quantum computing poses an increasing threat to widely-deployed public-key based encryption algorithms such as Rivest-Shamir-Adelman (RSA) and Elliptic-Curve Diffie-Hellman (ECDH). Switching to quantum-resistant algorithms is urgent even though large-scale quantum computers that can break these algorithms do not yet exist, since an adversary could harvest encrypted data today, store it, and decrypt it once such computers become available.

In order to defend TLS against this "harvest now, decrypt later" threat, the Internet Engineering Task Force (IETF) TLS Working Group has developed a framework for hybrid key exchange schemes for TLS 1.3. A hybrid key exchange scheme combines a quantum-resistant algorithm with a traditional algorithm, and is secure as long as one of the algorithms remains unbroken. This approach defends against quantum attacks while acknowledging that these newer algorithms have not yet benefited from the years of testing and analysis already performed on traditional algorithms.

The Java Platform already contains the building blocks for implementing hybrid key exchange schemes with the addition of the KEM API in Java 21 (JEP 452) and the ML-KEM algorithm in Java 24 (JEP 496). Implementing these hybrid key exchange schemes for TLS is the next step in the platform's support of post-quantum cryptography.

Description

We will enhance the TLS 1.3 implementation to support three new post-quantum hybrid key exchange schemes that combine ML-KEM with the traditional Ephemeral Elliptic-Curve Diffie-Hellman (ECDHE) algorithms:

The TLS specification refers to key exchange schemes as "named groups". Accordingly, we will add the names of these schemes to the Named Groups section of the Java Security Standard Algorithm Names specification. The names are the same as those specified by the IANA.

Using hybrid key exchange schemes

TLS clients list the key exchange schemes that they support, ordered by preference, in the initial message of the TLS handshake. By default, the hybrid schemes will be at the front of that list, making them the most preferred. Thus no changes to existing code will be required in order to benefit from quantum-resistant TLS when it is available, as long as that code does not already select specific key exchange schemes.

The complete default list of schemes will be: X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024, x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, and ffdhe4096.

You can change the default list of schemes by setting the system property jdk.tls.namedGroups. You can also select specific schemes by calling the SSLParameters::setNamedGroups method when configuring a TLS socket connection; for example:

SSLSocket tlsSock = (SSLSocket)(SSLContext.getDefault().
                                getSocketFactory().createSocket());
SSLParameters params = tlsSock.getSSLParameters();

// Configure the socket to use two hybrid KEM schemes and
// two traditional schemes
params.setNamedGroups(new String[] {
    "SecP256r1MLKEM768", "X25519MLKEM768", "secp256r1", "x25519"
});
tlsSock.setSSLParameters(params);

Alternatives

As mentioned above, we do not here propose to implement ML-KEM-based non-hybrid key exchange schemes for TLS. Such pure schemes are another way to defend against future quantum computing attacks. Hybrid schemes, however, are at present in higher demand and give a minimal guarantee of security against both quantum and traditional attacks which neither class of algorithm provides on its own. We may implement pure ML-KEM schemes in future work.

Testing

Risks and Assumptions

The IETF specifications for hybrid key exchange in TLS 1.3 and ECDHE/MLKEM Hybrid are still in the draft stage. We will only deliver this feature after these drafts have become standards, by being promoted to RFCs.