1. Home
  2. /
  3. Resources
  4. /
  5. The Bouncy Castle Project Turns 25: From JCE Jank to Quantum-Ready Royalty

The Bouncy Castle Project Turns 25: From JCE Jank to Quantum-Ready Royalty

hero-sub-3
Keyfactor Blog

2025-05-21

“Still bouncing after 25 years—and now post-quantum certified to keep bouncing through the cryptography apocalypse.”

On 21 May 2025, the Bouncy Castle Project officially turns 25 years old. That is right—our favorite cryptographic castle has been standing tall since the days of Netscape Navigator, Y2K paranoia, and dial-up internet.

Over the years, it has grown from a simple Java Cryptographic Library into a globally trusted, multi-language cryptographic toolkit that is quantum-ready, FIPS-certified, and still open-source. Let’s take a light-hearted (and slightly nerdy) look back at 25 years of secure, standards-compliant fun.

1999–2000: Foundations of a Castle

Like many great things in tech, Bouncy Castle started in a modest and chaotic way. A handful of developers passionate about open source and cryptography came together in the late '90s to build... well, something better than what was available at the time.

  • April 2000: bouncycastle.org is registered.
  • May 2000: First Java beta published on the brand-new website.
  • October 2000: Java Release 1.00 drops. It’s not big, but it bounces.

Back then, Java cryptographic APIs were quirky, painful, and wildly inconsistent. Bouncy Castle swooped in like a caped superhero, but with more bit shifts and ASN.1 parsers.

2002–2007: Enter the Acronyms (and .NET)

The early 2000s were a golden age of acronyms. The Bouncy Castle team added support for just about every secure messaging protocol and cryptographic standard under the sun:

  • 2002: CMS and S/MIME APIs land.
  • 2003: OpenPGP joins the party.
  • 2005: TSP (Timestamp Protocol) is added.
  • 2007: First .NET C# release hits the website, because Java wasn’t confusing enough.

Maintaining two parallel codebases? A totally rational decision made while sleep-deprived and running out of coffee. Still, it paid off.

2013: Going Legit—and Post-Quantum

By 2013, the project had ballooned to over 300,000 lines of Java and 140,000 of C#. We had more interfaces than a ‘90s desktop GUI. It was time for two things:

  • A bit of a refactor.
  • A bit more organization.

That same year:

  • Feb 2013: The BCPQC provider debuts with experimental post-quantum cryptography. This was long before it was cool (or required by regulation).
  • May 2013: Full support added for TLS and DTLS in the BC low-level API.
  • Oct 2013: The Legion of the Bouncy Castle Inc. is born—a registered non-profit to protect the codebase, accept donations, and finally answer the question: “Who do I contact about FIPS?”

2016–2025: FIPS and the Quantum Leap

The past decade has been a whirlwind. Bouncy Castle became not just a tool for developers, but a trusted library for governments, enterprises, and regulated industries.

  • 2016: First FIPS 140-2 certifications granted for both Java and C#. Linux Foundation funds the initial JSSE provider for TLS support - the BCJSSE.
  • 2022: Support added for NIST Round 3 PQC candidates (Kyber, Dilithium, etc.)
  • 2024: NIST PQC standards (ML-KEM, ML-DSA, SLH-DSA) added.
  • 2025: First hybrid FIPS 140-3 certified Java module with native acceleration!

We have gone from “how do I encrypt a file?” to “how do I protect my infrastructure against quantum computers and still pass audit?” Bouncy Castle has answers for both—and we’re just getting started.

The Legacy Lives On

Whether you are encrypting data at rest, securing messages in motion, or preparing for a future where your adversary has a quantum laptop powered by moonlight—Bouncy Castle has your back.

We have a stable and steadily growing team, complemented by a strong and active contributor base. This combination, along with our focus on staying relevant to user needs, has made the project a success, now reaching over 6 million downloads per month.

Looking ahead, the libraries will continue to evolve alongside advances in lightweight cryptography standards such as Ascon, and new post-quantum cryptographic algorithms like the upcoming FN-DSA. These developments will drive updates to related APIs across Cryptographic Message Syntax (CMS), S/MIME, timestamping, TLS, and OpenPGP.

Over the last 25 years, we have built more than just APIs. We have built trust, resilience, and a thriving community. So from all of us in the Castle:

Thank you for bouncing with us.

 

Sincerely,

David Hook, VP Software Engineering, Founder Legion of the Bouncy Castle

Related resources

KubeCon-Blog-Header_Trimmed2
DevOps
Signing
Blog
Ejbca
Signserver
7 November, 2024

Rethink PKI for Kubernetes: Scalable Security at KubeCon Salt Lake City

PKI matters more than ever for Kubernetes. In today’s cloud-native, DevOps-dr...
Read more
Keyfactor Blog
DevOps
Post-Quantum Cryptography
Blog
Ejbca
17 October, 2024

Reflections from this year’s Keyfactor Community Tech Meetup

Post-quantum cryptography, software supply chain security, and TECHSynergy co...
Read more
Close