“Still bouncing after 25 years – and now post-quantum certified to keep bouncing through the cryptography apocalypse.”
On 21 May 2025, the Bouncy Castle Project officially turns 25 years old. That is right – our favorite cryptographic castle has been standing tall since the days of Netscape Navigator, Y2K paranoia, and dial-up internet.
Over the years, it has grown from a simple Java Cryptographic Library into a globally trusted, multi-language cryptographic toolkit that is quantum-ready, FIPS-certified, and still open-source. Let’s take a light-hearted (and slightly nerdy) look back at 25 years of secure, standards-compliant fun.
1999–2000: Foundations of a Castle
Like many great things in tech, Bouncy Castle started in a modest and chaotic way. A handful of developers passionate about open source and cryptography came together in the late ’90s to build…well, something better than what was available at the time.
-
April 2000:
bouncycastle.orgis registered. -
May 2000: First Java beta published on the brand-new website.
-
October 2000: Java Release 1.00 drops. It’s not big, but it bounces.
Back then, Java cryptographic APIs were quirky, painful, and wildly inconsistent. Bouncy Castle swooped in like a caped superhero, but with more bit shifts and ASN.1 parsers.
2002–2007: Enter the Acronyms (and .NET)
The early 2000s were a golden age of acronyms. The Bouncy Castle team added support for just about every secure messaging protocol and cryptographic standard under the sun:
-
2002: CMS and S/MIME APIs land.
-
2003: OpenPGP joins the party.
-
2005: TSP (Timestamp Protocol) is added.
-
2007: First .NET C# release hits the website, because Java wasn’t confusing enough.
Maintaining two parallel codebases? A totally rational decision made while sleep-deprived and running out of coffee. Still, it paid off.
2013: Going Legit — and Post-Quantum
By 2013, the project had ballooned to over 300,000 lines of Java and 140,000 of C#. We had more interfaces than a ‘90s desktop GUI. It was time for two things:
-
A bit of a refactor.
-
A bit more organization.
That same year:
-
Feb 2013: The BCPQC provider debuts with experimental post-quantum cryptography. This was long before it was cool (or required by regulation).
-
May 2013: Full support added for TLS and DTLS in the BC low-level API.
-
Oct 2013: The Legion of the Bouncy Castle Inc. is born – a registered non-profit to protect the codebase, accept donations, and finally answer the question: “Who do I contact about FIPS?”
2016–2025: FIPS and the Quantum Leap
The past decade has been a whirlwind. Bouncy Castle became not just a tool for developers, but a trusted library for governments, enterprises, and regulated industries.
-
2016: First FIPS 140-2 certifications granted for both Java and C#. Linux Foundation funds the initial JSSE provider for TLS support – the BCJSSE.
-
2022: Support added for NIST Round 3 PQC candidates (Kyber, Dilithium, etc.)
-
2024: NIST PQC standards (ML-KEM, ML-DSA, SLH-DSA) added.
-
2025: First hybrid FIPS 140-3 certified Java module with native acceleration!
We have gone from “how do I encrypt a file?” to “how do I protect my infrastructure against quantum computers and still pass audit?” Bouncy Castle has answers for both – and we’re just getting started.
The Legacy Lives On
Whether you are encrypting data at rest, securing messages in motion, or preparing for a future where your adversary has a quantum laptop powered by moonlight—Bouncy Castle has your back.
We have a stable and steadily growing team, complemented by a strong and active contributor base. This combination, along with our focus on staying relevant to user needs, has made the project a success, now reaching over 6 million downloads per month.
Looking ahead, the libraries will continue to evolve alongside advances in lightweight cryptography standards such as Ascon, and new post-quantum cryptographic algorithms like the upcoming FN-DSA. These developments will drive updates to related APIs across Cryptographic Message Syntax (CMS), S/MIME, timestamping, TLS, and OpenPGP.
Over the last 25 years, we have built more than just APIs. We have built trust, resilience, and a thriving community. So from all of us in the Castle:
Thank you for bouncing with us. 🎈 Happy 25th, Bouncy Castle! 🎈
