Post-Quantum Hybrid Key Exchange for TLS 1.3

Jamil Nimeh on February 17, 2026

JEP 527 is now integrated into JDK 27! This feature enhances the security of Java applications by implementing hybrid key exchange algorithms for TLS 1.3. Such algorithms defend against future quantum computing attacks by combining a quantum-resistant algorithm with a traditional algorithm. Applications that use the javax.net.ssl APIs will benefit from these improved algorithms by default, without change to existing code. This feature is the next step in the Java Platform’s support for post-quantum cryptography. Early access builds beginning with build 6 have this feature.

TLS 1.3 with solely traditional key exchange algorithms are potentially vulnerable to the harvest now, decrypt later threat. By combining quantum-resistant ML-KEM with traditional elliptic-curve algorithms, the JDK implementation of TLS 1.3 is protected against such attacks.

We have delivered three algorithms that combine ML-KEM and ECDHE in the SunJSSE provider:

  • X25519MLKEM768: Hybrid scheme combining ECDHE with X25519 and ML-KEM-768,
  • SecP256r1MLKEM768: Hybrid scheme combining ECDHE using the secp256r1 curve with ML-KEM-768, and
  • SecP384r1MLKEM1024: Hybrid scheme combining ECDHE using the secp384r1 curve with ML-KEM-1024.

Enabling and Customizing Hybrid Key Exchange Support

By default X25519MLKEM768 is enabled alongside the other pre-existing non-hybrid supported key exchange methods. In the default case, TLS clients will provide two key exchange key shares - one X25519MLKEM768 and one x25519. Users may customize the list of supported key exchange algorithms for clients and servers to include any combination of supported hybrid and traditional key exchange algorithms. This can be accomplished two ways:

  • By setting the jdk.tls.namedGroups System property.
  • By calling the SSLParameters::setNamedGroups method when configuring an SSLSocket instance, as presented in the code snippet bellow.
SSLSocket tlsSock = (SSLSocket)(SSLContext.getDefault().
                                getSocketFactory().createSocket());
SSLParameters params = tlsSock.getSSLParameters();

// Configure the socket to use two hybrid KEM schemes and
// two traditional schemes
params.setNamedGroups(new String[] {
    "SecP256r1MLKEM768", "X25519MLKEM768", "secp256r1", "x25519"
});
tlsSock.setSSLParameters(params);

Next Steps

We encourage you to download the JDK 27 Early Access builds and try out this feature. Feedback is also welcomed through the security-dev mailing list (registration required).