Feature Request: Post-Quantum Cryptography (PQC) Support
Hi,
I would like to propose adding Post-Quantum Cryptography (PQC) support to the FusionAuth crypto/JWT libraries.
Motivation
With NIST standardizing post-quantum algorithms, several ecosystems are starting to prepare migration paths toward quantum-resistant signatures. While current FusionAuth libraries provide excellent support for classical algorithms (RSA, EC, EdDSA, RSASSA-PSS), there is currently no support for PQC algorithms.
Adding PQC support would allow early adopters to experiment with hybrid and quantum-safe JWT signing strategies.
Existing Java Support
The Java ecosystem already provides mature building blocks.
In particular:
org.bouncycastle:bcpkix-jdk18on:1.84
includes PQC implementations and providers for multiple NIST candidates, including:
- CRYSTALS-Dilithium (signatures)
- Falcon (signatures)
- SPHINCS+
- ML-KEM / Kyber (key encapsulation)
Since Bouncy Castle integrates through the standard JCA/JCE provider model, FusionAuth could potentially support PQC algorithms without major architectural changes by:
- registering the Bouncy Castle PQC provider
- extending key parsing / JWK handling
- allowing custom
alg identifiers for PQC signatures
- enabling hybrid signatures (e.g. Ed25519 + Dilithium)
Suggested Scope (incremental)
- Allow custom signature algorithms backed by JCA providers.
- Add experimental PQC algorithm identifiers.
- Enable signing/verifying JWTs using PQC keys.
- Optionally document hybrid signature strategies.
Why Now
- NIST PQC standardization is progressing rapidly.
- Early integration enables experimentation without breaking existing users.
- FusionAuth could become one of the first identity platforms offering quantum-ready JWT tooling.
Happy to help with design discussion or testing if this direction is considered valuable.
Thanks.
Feature Request: Post-Quantum Cryptography (PQC) Support
Hi,
I would like to propose adding Post-Quantum Cryptography (PQC) support to the FusionAuth crypto/JWT libraries.
Motivation
With NIST standardizing post-quantum algorithms, several ecosystems are starting to prepare migration paths toward quantum-resistant signatures. While current FusionAuth libraries provide excellent support for classical algorithms (RSA, EC, EdDSA, RSASSA-PSS), there is currently no support for PQC algorithms.
Adding PQC support would allow early adopters to experiment with hybrid and quantum-safe JWT signing strategies.
Existing Java Support
The Java ecosystem already provides mature building blocks.
In particular:
includes PQC implementations and providers for multiple NIST candidates, including:
Since Bouncy Castle integrates through the standard JCA/JCE provider model, FusionAuth could potentially support PQC algorithms without major architectural changes by:
algidentifiers for PQC signaturesSuggested Scope (incremental)
Why Now
Happy to help with design discussion or testing if this direction is considered valuable.
Thanks.