AWS-LC FIPS 3.0, the first open-source cryptographic module to provide post-quantum algorithm support within the FIPS module has been added to NIST Cryptographic Module Validation Program.
This validation introduces support for Module Lattice-Based Key Encapsulation Mechanisms (ML-KEM), which works by establishing a shared secret between two parties based on an underlying problem that is believed to be hard for quantum computers to solve.
Organizations that require FIPS-validated cryptographic modules can now use these algorithms within AWS-LC to enhance long-term confidentiality of their sensitive customer workflows.
AWS-LC FIPS 3.0 includes the ML-KEM algorithm for all three provided parameter sets, ranging from security strength as specified by NIST.
This announcement is part of the long-term promise made by AWS-LC to obtain new FIPS 140-3 certificates and to support its wider developer community of Rust, Java and Python developers.
In AWS-LC FIPS 3.0, the latest member of the Secure Hash Algorithm standard SHA-3 and the digital signature algorithm EdDSA are added, and performance improvements are made on public-key cryptography algorithms widely used in transport protocols.
ML-KEM is now available in our open-source TLS implementation s2n-tls, through hybrid key exchange and adding support for hybrid ECDHE-ML-KEM key agreement for TLS 1.3.
With ML-KEM’s addition to the list of NIST-approved algorithms, you can now include non-FIPS standardized algorithms like Curve x25519 in hybrid cipher suites within FIPS 140-approved mode.
You can use both s2n-tls and AWS-LC TLS libraries to enable hybrid post-quantum security with ML-KEM today by enabling X25519MLKEM768 and SecP256r1MLKEM768 for key exchange.
AWS-LC is committed to continually validating new versions of AWS-LC as new algorithms are added within the FIPS boundary, to facilitate integration into CPython, rustls, and ACCP 2.0 libraries.