- AWS›
- AWS Cloud Security›
- Post-Quantum Cryptography
Post-Quantum Cryptography
Bringing quantum-resistance to AWS services and customers
What is post-quantum cryptography at AWS?
At AWS, the confidentiality, integrity, and authenticity of our customers' data is a top priority. Today's widely-used public-key cryptographic schemes rely on mathematical problems - like integer factoring and discrete logarithms - that could be efficiently solved by future quantum computers. To address this challenge, AWS is deploying new NIST-standardized post-quantum cryptographic algorithms that are designed to resist both classical and quantum computing attacks. These algorithms, including the Module-Lattice-based Key-Encapsulation Mechanism (ML-KEM) and Module-Lattice-based Digital Signature Algorithm (ML-DSA), are based on different mathematical foundations that are believed to be resistant to quantum computing attacks.
AWS has already deployed post-quantum cryptography across several key services. AWS Key Management Service (AWS KMS), AWS Secrets Manager, and AWS Certificate Manager have implemented post-quantum hybrid key establishment combining Elliptic Curve Diffie-Hellman (ECDH) with ML-KEM to protect against "harvest now, decrypt later" attacks. At the foundation of these implementations is AWS-LC, our FIPS-140-3-validated cryptographic library, which was the first open-source cryptographic module to include ML-KEM in its FIPS validation.
AWS Migration to Quantum-Resistant Cryptography
Through our PQC migration strategy, AWS is ensuring that customers’ security needs are met not just for today, but well into the quantum computing era. We continue to work closely with our customers, global standards organizations and the cryptographic community to advance the development and deployment of quantum-safe technologies.
The AWS Post-Quantum team interfaces with the global cryptographic community by participating in international conferences, the open literature, and standards organizations with a goal of leading the adoption of quantum-resistant cloud-scale cryptographic technology. We are participating in projects and working groups on quantum-resistant cryptography, including the Internet Engineering Task Force (IETF), ETSI Quantum Safe Cryptography Technical Committee, NIST’s National Cybersecurity Center of Excellence (NCCoE) Migration to Post-Quantum Cryptography project, MITRE Post-Quantum Cryptography Coalition, Post-Quantum Cryptography Alliance (PQCA), and the Open Quantum Safe initiative.
AWS Post-quantum Cryptography Migration Workstreams
Workstreams in the AWS post-quantum cryptography migration plan
Overview of migration worksteams
The AWS post-quantum cryptography migration strategy (blog post) consists of the following four workstreams, in order of priority based on quantum risk:
- Prioritization and Inventory: We've completed assessment of existing systems and are actively implementing new standards to ensure interoperability. For customers whose workloads are not fully based on AWS managed services, our process as described in the blog referenced above may help you as a template for your own PQC planning.
- Public Endpoint Confidentiality: ML-KEM deployment is underway across all customer-facing service endpoints, and related client-side SDKs and builder tools.
- Roots of trust for digital signatures: Integrating ML-DSA into services that issue or use digital certificates and post-quantum signatures for quantum-resistant session-based authentication, beginning with AWS Key Management Service (KMS) and Private CA.
- Authenticity of digital commuication: In the fullness of time, and aligned with industry standards, we will upgrade session authentication to use PQC. Since authentication cannot be retroactively compromised by a future quantum computer, this workstream is less urgent in relative priority.
Prioritization and Inventory of your Workloads Dependencies
The AWS post-quantum cryptography migration strategy (blog post) describes how AWS has done its cryptographic inventory and our plan to migrate to PQC. If you don’t delegate all your cryptographic operations to AWS, what should you be doing to prepare? While no single approach will be right for all applications and industries, here are some resources with more context on recommendations that we contributed to or used as part of our work:
- CISA Quantum-Readiness: Migration to Post-Quantum Cryptography
- CISA Strategy for Migrating to Automated Post-Quantum Cryptography Discovery and Inventory Tools
- ETSI TR 103 619 Migration strategies and recommendations to Quantum Safe schemes
In the resources section of this page, you will find additional videos and resources from AWS and AWS customers on strategies to approach PQC planning.
Protection against harvest now, decrypt later
There are two classes of services and experiences where AWS is upgrading encryption of data in transit to post-quantum cryptography.
- For AWS service endpoints: We have begun deploying ML-KEM for hybrid post-quantum key exchange support to public service endpoints. Updated endpoints will automatically prefer post-quantum key exchange where supported by a client. Your side of the shared responsibility model is to update web browsers and clients that communicate with service endpoints.
- For customer-owned network resources such as load balancers: Updated TLS policies that support ML-KEM for hybrid post-quantum key exchange are available for customer use. Updating resource configuration to a PQ-enabled TLS policy is on the customers’ side of the shared responsibility model. You can additionally use IAM resource control policies to enforce your desired TLS policies on future resource creation and future resource updates.
Modern algorithms to encrypt data at rest, such as those used by AWS KMS, remain quantum-resistant.
Protect against future impersonation
As decribed in the AWS post-quantum cryptography migration plan (blog post), establishing quantum-resistant roots of trust is critical for systems that need to maintain security for extended periods of time. ML-DSA, a signature scheme standardized in FIPS 204, provides quantum resistance while maintaining the performance characteristics needed for deployments at scale.
AWS Private CA and AWS KMS together support post-quantum capabilities that can be used for code signing. Consumers of signed code that have been pre-provisioned with the post-quantum PKI roots can rest assured that the software could not have been forged by an adversary with a cryptographically relevant quantum computer (CRQC).
Latest news and blog posts
Take the first step to benchmark, prototype, or understand the performance impact of quantum-resistant cryptography on AWS services by reviewing the AWS Security blog posts about Transport Layer Security (TLS), QUIC, and Secure Shell (SSH).
Post-quantum (ML-DSA) code signing with AWS Private CA & AWS KMS
November 17, 2025
Following our recent announcement of ML-DSA support in AWS Key Management Service (AWS KMS), we just introduced post-quantum ML-DSA signature support in AWS Private Certificate Authority (AWS Private CA). Customers can use AWS Private CA to create and manage their own private public key infrastructure (PKI) hierarchies. Through this integration, you can establish and use customer-managed quantum-resistant roots of trust for code signing, device authentication, outside (of AWS) workload authentication with AWS IAM Roles Anywhere, or communication tunnels such as IKEv2/IPsec or Mutual TLS (mTLS) using private PKI.
How to create post-quantum signatures using AWS KMS and ML-DSA
June 13, 2025
As the capabilities of quantum computing evolve, AWS is committed to helping our customers stay ahead of emerging threats to public-key cryptography. Today, we’re announcing the integration of FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA) into AWS Key Management Service (AWS KMS). Customers can now create and use ML-DSA keys through the same familiar AWS KMS APIs they use today for digital signatures, including CreateKey, Sign, and Verify operations. This new feature is generally available.
ML-KEM post-quantum TLS supported in KMS, ACM, & Secrets Manager
April 7, 2025
In this blog post, we announce that the latest hybrid post-quantum key agreement standards for TLS have been deployed to three AWS services. AWS Key Management Service (AWS KMS), AWS Certificate Manager (ACM), and AWS Secrets Manager endpoints now support Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) for hybrid post-quantum key agreement in non-FIPS endpoints in all AWS Regions in the aws partition.
AWS post-quantum cryptography migration plan
December 5, 2024
In this blog post, we cover how AWS will migrate to Post Quantum Cryptography (PQC) as part of our shared responsibility model. We also provide information about how to implement a PQC migration strategy for your organization, where AWS is today in the journey of migrating to PQC, and outlines our path forward.
Featured learning resources
Workshop: Post-Quantum Cryptography on AWS
This workshop demonstrates hands-on post-quantum cryptographic algorithms, their performance and size differences to classical ones. It shows how AWS services like AWS KMS can be used with AWS SDKs to establish a quantum-safe tunnel to transfer the most critical IT secrets protected from a theoretical computer targeting these communications in the future. Learn how these tunnels leverage classical and quantum-resistant key exchanges to offer the best of both worlds.
Chalk Talk: How security maturity enables cryptographic agility
In this re:Invent 2025 chalk talk, you can learn more about recent AWS post-quantum cryptograph (PQC) releases and how to use them in your AWS-native workloads. Also, you can learn about how AWS achieves crypto-agility, and how you can apply these principles to your custom workloads.
Standards and industry collaborations
We're working with researchers around the world to help author the following standards:
NIST
The NIST Post-Quantum Cryptography standardization effort is a process to solicit, evaluate, and standardize quantum-resistant public-key cryptographic algorithms. The new public-key cryptography standards specify additional digital signature algorithms and key encapsulation mechanisms (KEM) to augment Federal Information Processing Standard (FIPS) 186-5, Digital Signature Standard (DSS), as well as NIST Special Publication 800-56A. NIST has already standardized key encapsulation mechanism ML-KEM, and signature algorithms ML-DSA and SLH-DSA and is in the process of standardizing one more KEM and two or more signature schemes.
Of the standardized algorithms, AWS team members have contributed to ML-KEM, ML-DSA and SLH-DSA.
IETF
The standardization of hybrid key exchange in TLS 1.3. This IETF draft is motivated by the transition to quantum-resistant cryptography, in particular, defining more explicitly how we will navigate the transitional phase from classical to post-quantum algorithms in the Transport Layer Security (TLS) protocol version 1.3.
The standardization of ML-DSA in and ML-KEM in X.509 certificates. These are two IETF documents to describe the conventions for using ML-DSA and ML-KEM quantum-resistant signature and KEM respectively in Internet X.509 certificates and certificate revocation lists. The conventions for the associated post-quantum signatures, subject public keys, and private key are also described. ML-DSA in X.509 was standardized in RFC9881. ML-KEM in X.509 is being standardized in draft-ietf-lamps-kyber-certificates.
The standardization of the SLH-DSA in the Cryptographic Message Syntax (CMS). CMS is the IETF's standard for cryptographically protected messages. It can be used to digitally sign, digest, authenticate or encrypt any form of digital data. SLH-DSA in CMS was standardized in RFC9814.
The standardization of Post-Quantum Hybrid Key Exchange in Secure Shell that extends the SSH Transport Layer Protocol with post-quantum hybrid key exchange methods. The standardization of Post-Quantum Hybrid Key Exchange in IKEv2 which introduces ML-KEM key exchange in the Internet Key Exchange Protocol Version 2 (IKEv2).
ETSI
The European Telecommunications Standards Institute (ETSI) plays a leading role in the standardization of quantum-safe cryptography through its Technical Committee on Quantum-Safe Cryptography. The group focuses on identifying, evaluating, and standardizing post-quantum cryptographic algorithms and protocols, offering practical implementation guidelines to support a secure transition to quantum-resistant systems.In collaboration with academia, industry leaders, and governments, ETSI addresses the security impact of quantum computing, defines requirements for post-quantum algorithms, and provides best practices for deploying quantum-safe infrastructures.
Its work helps ensure interoperability, scalability, and performance in real-world applications. ETSI has published extensive technical reports and specifications on the transition to quantum-safe systems, including Technical Report TR 103 619 defining migration strategies and recommendations for Quantum-Safe schemes, and TS 103 744 on Quantum-Safe Hybrid Key Exchanges.
For more information, visit the ETSI Quantum-Safe Cryptography webpage.
Open source contributions
AWS Libcrypto (AWS-LC) is a general-purpose cryptographic library maintained by the AWS Cryptography team for AWS and our customers. Based on code from the Google BoringSSL project and OpenSSL project. AWS-LC contains the post-quantum Key Encapsulation Mechanism ML-KEM, and the post-quantum Digital Signature Algorithm ML-DSA. Read more here.
The PQ Code Package (PQCP) project is an open source project within the Linux Foundation which is part of the Post-Quantum Cryptography Alliance. It aims to build high-assurance software implementations of standards-track post-quantum cryptography algorithms. See pq-code-package/repositories for the list of repositories under the PQCP, including mlkem-native and mldsa-native, two secure, fast, and portable C90 implementation of ML-KEM and ML-DSA respectively.
s2n-tls is a C99 implementation of the TLS/SSL protocols that is designed to be simple, small, fast, and with security as a priority. s2n-tls supports post-quantum key exchange for TLS1.3. See more about post quantum support in s2n-tls here. s2n-quic is a fast, simple, fast, thread and memory-safe Rust implementation of the QUIC protocol. s2n-quic supports ML-KEM and ML-DSA through s2n-tls.
Learn more about AWS open source security and AWS open source cryptography contributions.
The ETSI Quantum-safe Hybrid Key Exchanges (QHKEX) project is part of ETSI Forge, an open-source repository for ETSI standards. The QHKEX project provides reference implementations and known answer tests for Technical Specification (TS) 103 744 CYBER; Quantum-Safe Cryptography (QSC); Quantum-safe Hybrid Key Establishment techniques.
Research and experimentation
Interested?
To learn more about post-quantum cryptography with AWS