Skip to content

Post-Quantum Cryptography (PQC) Support #76

Description

@legrottagliegionata

Feature Request: Post-Quantum Cryptography (PQC) Support

Hi,

I would like to propose adding Post-Quantum Cryptography (PQC) support to the FusionAuth crypto/JWT libraries.

Motivation

With NIST standardizing post-quantum algorithms, several ecosystems are starting to prepare migration paths toward quantum-resistant signatures. While current FusionAuth libraries provide excellent support for classical algorithms (RSA, EC, EdDSA, RSASSA-PSS), there is currently no support for PQC algorithms.

Adding PQC support would allow early adopters to experiment with hybrid and quantum-safe JWT signing strategies.

Existing Java Support

The Java ecosystem already provides mature building blocks.

In particular:

org.bouncycastle:bcpkix-jdk18on:1.84

includes PQC implementations and providers for multiple NIST candidates, including:

  • CRYSTALS-Dilithium (signatures)
  • Falcon (signatures)
  • SPHINCS+
  • ML-KEM / Kyber (key encapsulation)

Since Bouncy Castle integrates through the standard JCA/JCE provider model, FusionAuth could potentially support PQC algorithms without major architectural changes by:

  • registering the Bouncy Castle PQC provider
  • extending key parsing / JWK handling
  • allowing custom alg identifiers for PQC signatures
  • enabling hybrid signatures (e.g. Ed25519 + Dilithium)

Suggested Scope (incremental)

  1. Allow custom signature algorithms backed by JCA providers.
  2. Add experimental PQC algorithm identifiers.
  3. Enable signing/verifying JWTs using PQC keys.
  4. Optionally document hybrid signature strategies.

Why Now

  • NIST PQC standardization is progressing rapidly.
  • Early integration enables experimentation without breaking existing users.
  • FusionAuth could become one of the first identity platforms offering quantum-ready JWT tooling.

Happy to help with design discussion or testing if this direction is considered valuable.

Thanks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions