Posted On: Mar 16, 2022

AWS Key Management Service (KMS) and AWS Certificate Manager (ACM) now support hybrid post-quantum key establishment for transport layer security (SSL/TLS) connections using the latest post-quantum ciphers from Round 3 of the NIST Post-Quantum Cryptography (PQC) selection process. These TLS configurations allow you to measure the potential performance impact of PQC algorithms ahead of a formal standardization announcement. You can also benefit from the longer-term confidentiality afforded by hybrid post-quantum TLS.

The three PQC key encapsulation mechanisms (KEMs) offered are Kyber, BIKE, and SIKE. Hybrid post-quantum TLS combines a classical key agreement, such as ECDHE, with one of these KEMs. The result is that your TLS connections inherit the security properties of both the classical and post-quantum key exchanges.

Hybrid post-quantum TLS for AWS KMS and ACM is available in all public AWS Regions.

To get started, refer to the documentation and this sample Java project which shows how to use the new hybrid post-quantum TLS configuration.