AWS Key Management Service (KMS) now supports the FIPS 203 Module-Lattice Digital Signature Standard (MLDSA), a quantum-resistant digital signature algorithm designed to help organizations address emerging quantum computing threats. This post-quantum signature algorithm is one of the selected algorithms standardized by NIST to protect sensitive information well into the foreseeable future, including after the advent of cryptographically relevant quantum computers. ML-DSA is particularly valuable for manufacturers and developers who need to protect firmware and application code signing where cryptographic signatures cannot be easily updated after deployment and for organizations that require signatures on digital content to remain valid for several years.
The ML-DSA keys integrate with the existing KMS CreateKey and Sign APIs, enabling customers to preserve their established automation processes, IAM and KMS key policies, auditing capabilities, and tagging workflows. AWS KMS support for ML-DSA introduces three new key specs (ML_DSA_44, ML_DSA_65, and ML_DSA_87) that work with the post-quantum SigningAlgorithm ML_DSA_SHAKE_256, with support for both raw signatures and the pre-hashed variant (External Mu).
This new feature is generally available and you can use ML-DSA in the following AWS Regions: US West (N. California), and Europe (Milan) with the remaining commercial AWS Regions to follow in the coming days. To learn more, see the AWS Security Blog for how to create post-quantum signatures using AWS KMS and ML-DSA, and see the ML-DSA signing topic in the AWS KMS Developer Guide.
Source:: Amazon AWS