IBM has added support for two new NIST standard quantum-safe cryptographic algorithms: ML-KEM (FIPS 203) and ML-DSA (FIPS 204). These algorithms are now supported by IBM Crypto Express8S Hardware Security Modules (HSMs) running CCA 8.4 firmware. z/OS 2.5 or higher supports CCA 8.4 via ICSF APAR OA66395. (There are corresponding updates for Linux, and my understanding is that analogous updates for EP11 mode are coming.)
IBM Crypto Express8S HSMs are available on IBM z16, LinuxONE 4, z17, and LinuxONE 5 server models. However, please note that the z16 model A01 will be withdrawn from marketing on December 31, 2025. Any/all IBM Crypto Express8S orders (and other hardware upgrade orders) for the z16 model A01 must be placed before the withdrawal date. To my knowledge IBM Crypto Express8S is the first commercially available HSM to support these final NIST standard quantum-safe algorithms. It’s always great to stay ahead of the curve (pun intended). Crypto Express7S and Crypto Express8S previously led the way with the draft variants of these algorithms, formerly named CRYSTALS-Kyber and CRYSTALS-Dilithium. Please refer to this blog article for more information: https://community.ibm.com/community/user/blogs/richard-kisley1/2025/06/26/cca-84-for-ibm-z17-z16-ml-kem-ml-dsa ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
