Amazon Pushes ML-KEM Quantum-Safe Encryption for Future Internet, AWS Blog Reveals

Amazon Pushes ML-KEM Quantum-Safe Encryption for Future Internet, AWS Blog Reveals

Amazon Web Services (AWS) has deployed the latest hybrid post-quantum key agreement standards for TLS for 23 AWS services. AWS Key Management Service (AWS KMS), AWS Certificate Manager (ACM), and AWS Secrets Manager endpoints now support the lattice-based Key Encapsulation Mechanism (ML-KEM) for hybrid post-quantum key agreements in non-FIPS endpoints across all AWS regions. The AWS Secrets Manager Agent, built on the AWS SDK for Rust, now provides optimal support for hybrid post-quantum key agreement. This allows customers to use end-to-end post-quantum–enabled TLS when bringing data into their applications.  

These three services were selected because they are security-critical and require the highest level of post-quantum confidentiality. They previously supported Crystals Kyber, which ML-KEM now replaces. Crystals Kyber will continue until 2025, but will be removed from all AWS service endpoints in 2026 as ML-KEM becomes the standard.  

Our Migration to Post-Quantum Cryptography 

AWS is following its post-quantum cryptographic migration plan as part of this. AWS will add MLKM support to all services with HTTPS endpoints over the next few years. Customers need to update their TLS clients and SDKs to use ML-KEM when connecting to AWS HTTPS endpoints. This helps protect against future threats from quantum computing. AWS endpoints will select ME, ML-KEM when clients offer it.  

Our hybrid pAWS can negotiate hybrid post-quantum key-agreement algorithms thanks to AWS LibCrypto and AWS LC. Our open-source FIPS 143-validated cryptographic library and S2N TLS, our open-source TLS implementation. AWS LC has received several FIPS certificates from NIST: 434631, 4759, and 4816, and was the first open-source cryptographic module to include MLKM in a FIPS 140-3 validation.  

ML-KEM on TLS Performance 

Migrating from an elliptic curve Diffie-Hellman (ECDH) only key agreement to an ECDH plus ML-KEM hybrid key agreement necessarily requires that the TLS handshake send more data and perform more cryptographic operations. Switching from a classical to a hybrid post-quantum key agreement will transfer approximately 1,600 additional bytes during the TLS handshake and will require approximately 80 to 150 microseconds more compute time to perform ML-KEM cryptographic operations. This is a one-time TLS connection startup cost or amortized over the lifetime of the TLS connection across the HTTP requests sent over it.  

AWS is working to provide a smooth migration to hybrid post-quantum key agreement for TLS. This work includes benchmarking example workloads to help customers understand the impact of enabling hybrid post-quantum key agreements with ML-KEM.  

Using the AWS SDK for Java v2, AWS measured how many AWS KMS GenerateDataKey requests per second a single thread can send between an Amazon EC2 C6i bare metal client and the public AWS KMS endpoint, both in the US West 2 region. Classical TLS connections used the P-256 elliptic curve, while hybrid post-quantum TLS connections used the X25519 elliptic curve with ML-KEM-768. Your results may vary depending on your environment, including instance type, workload, parallelism, number of threads, and network setup. The tests measured HTTP request rates with TLS connection reuse enabled and disabled. The handshake is never amortized, and every HTTP request must perform a full TLS handshake. Enabling hybrid post-quantum TLS reduces transactions per second (TPS) by about 2.3%, from 108.7 TPS to 106.2 TPS.  

Results show that enabling post-quantum TLS has little impact on performance. For most workloads, the maximum DPS rates dropped by just 0.05%. In the worst case, with each request creating a new TLS handshake, the drop was only 2.3%.   

Removing Support for Draft Post Quantum Standards 

AWS Service Endpoints that currently support Crystals Kyber, the predecessor to ML-KEM, will continue to support it through 2025. AWS will gradually phase out Crystals Kyber after customers switch to ML-KEM. If you are using an AWS SDK for Java version that only supports Crystals Kyber, upgrade to the latest version with ML-KEM support. If your code uses a recent AWS SDK for Java V2 release, no changes are needed for the transition from Crystals Kyber to ML-KEM.  

Customers whose clients currently use Crystals Kyber must upgrade their AWS Java SDK v2 to a version that supports ML-KEM before 2026, as Crystals Kyber will be removed in 2026. Clients that have not updated will automatically revert to using classical key agreements to maintain connectivity but will lose post-quantum confidentiality.  

How to use Hybrid Post Quantum Key Agreement 

To enable hybrid post-quantum key agreement in the AWS SDK for Rust, add rustls to your crate and activate the prefer-hybrid-post-quantum feature flag.  

For AWS SDK for Java 2.x, enable hybrid postquantum key agreement by calling .postquantumtlsenabled(true) when building the AWS common runtime HTTP client.  

Step 1: Add the AWS Common Runtime HTTP client to your Java dependencies 

Add the latest AWS Common Runtime HTTP Client to your Maven dependencies. Use version 2.30.22 or higher for ML-KEM support.  

Step 2: Enable Post-Quantum TRS in your Java SDK client configuration 

Select AWSCRTAsyncHTTPClient in your AWS Client setup. Enable post-Quantum TLS.  

Things to Try 

Here are a few ways you can use this client with Post-Quantum support:  

  • Run, Load, Tests, and Benchmarks: AWSCRTAsyncHTTPClient is high-performing and uses AWS LibCrypto on Linux. If you are new to it, compare its performance to the default SDK client. Afterward, enable Post Quantum TLS and check whether it outperforms the default client without it.  
  • Test connections from various locations: Requests may be made via proxies or firewalls that use Deep Packet Inspection (DPI). If blocked, ask your security team to update rules for these TLS algorithms. Share feedback on how your network handles this traffic.  

Conclusion: We’ve added ML-KM Hybrid Key Agreement to 3 AWS Endpoints with TLS connection reuse, enabling hybrid post-quantum TLS, with minimal impact on performance in our tests. We saw only a 0.05% drop in the maximum transactions per second when using AWS KMS-generated data key.

Source: ML-KEM post-quantum TLS now supported in AWS KMS, ACM, and Secrets Manager 

AWS Nitro Enclave V3.4: Introduces Sealed Generative Logic Isolation

AWS Nitro Enclave V3.4: Introduces Sealed Generative Logic Isolation

As confidential computing grows, keeping generative AI secure is now a top priority for enterprise architects. When companies shift from pilot projects to full-scale use of Large Language Models (LLMs), protecting model weights and prompt data during inference becomes a major challenge. To help solve this, Amazon Web Services has released AWS Nitro Enclaves v3.4, which introduces Sealed Generative Logic Isolation. 

This new feature changes how “data in use” is protected in the cloud. By building on the Nitro System, AWS now offers a secure, verifiable space where generative workloads can run without being exposed to the parent instance, system administrators, or the cloud provider. 

The Architecture of Sealed Generative Logic Isolation 

Sealed Generative Logic Isolation is a security tool made for the high memory and computing needs of modern AI. Older confidential computing setups often have trouble handling large model inference. Nitro Enclaves v3.4 addresses this by adding a hardware-based “seal” around the enclave’s memory and execution. 

When running a generative model in an enclave, Sealed Generative Logic Isolation keeps the full inference—reading the prompt through to output—inside a secure boundary. These enclaves block interactive access, have no persistent storage, and have no external network. Data moves only via a secure local vsock channel to the parent EC2 instance, which relays encrypted data. 

+1 

Cryptographic Attestation and Model Integrity 

A main update in v3.4 is the enhanced attestation document. In generative AI, proving the correct model runs is as important as data protection. Nitro Enclaves v3.4 allows detailed measurement of model weights and logic with Platform Configuration Registers (PCRs). 

Through integration with AWS Key Management Service (KMS), a Nitro Enclave can cryptographically prove its identity and the integrity of its “Generative Logic” before any decryption keys are released. This means that an LLM’s weights, often a company’s most valuable intellectual property, remain encrypted in Amazon S3 and are decrypted only in the enclave’s volatile memory. If the enclave’s code or the model’s signature is altered by even a single bit, the attestation fails, and the “seal” prevents the logic from being executed. 

+1 

Confronting the Challenges of Generative AI at Scale 

Large-scale AI deployments face three primary security hurdles: prompt leakage, model weight theft, and exposure of inference telemetry. AWS Nitro Enclaves v3.4 addresses these with a layered isolation approach: applications in which the parent instance never sees the unencrypted prompt or the model’s response. This is essential for domains such as healthcare and finance, where PII (Personally Identifiable Information) must be processed by AI without being logged or stored. 

  • Persistent Model Protection: Since enclaves lack persistent storage, decrypted model weights exist only in memory. When the enclave shuts down, the Nitro Hypervisor securely erases the memory, so attackers cannot recover any data. 
  • Refined Resource Allocation: v3.4 improves the balance between memory and compute, so larger enclaves can use high-performance instances like the c7i and r7g series. This means the added security does not significantly slow down inference. 

Pragmatic Deployment Workflows 

To deploy Sealed Generative Logic Isolation, you follow a clear DevOps process. First, you create an Enclave Image File (EIF) with the inference engine, such as vLLM or llama.cpp, and the required startup code. 

In v3.4, nitro-cli supports larger images and complex dependencies, simplifying the containerization of multimodal models. After signing and deploying the EIF, the enclave retrieves the model’s decryption key from KMS using its unique identity, keeping models isolated from the parent OS kernel. 

The Shift Toward Sovereign and Compliant AI 

This release comes as global regulations move toward Sovereign AI. Governments and international bodies now require AI processing to remain within specific legal and security boundaries. Using AWS Nitro Enclaves v3.4, organizations can demonstrate a “Zero-Trust” setup for their AI workloads. 

Isolation matters for Multi-Party Collaboration. With v3.4, two organizations can share sensitive data in a single enclave, running specialized “LoRA” analysis or training models while keeping the raw data inaccessible to either party. The enclave acts as a secure neutral “clean room” for generative logic. 

Conclusion: The New Baseline for AI Trust 

As generative AI transitions from novelty to a core component of enterprise infrastructure, the underlying “plumbing” must be as robust as the models themselves. The introduction of Sealed Generative Logic Isolation in AWS Nitro Enclaves v3.4 provides the technical foundation for this trust. By hardware-sealing the inference process, AWS is removing the major barriers to AI adoption in highly regulated sectors. 

For organizations seeking to securely integrate LLMs into workflows, v3.4 sets a new standard. It protects model intelligence, even in cloud environments.

Source: What is Nitro Enclaves?