VPN Post-Quantum
Proprietary VPN with a hybrid post-quantum handshake. Full customer ownership and control. No third party in the key path. Architecture compatible with HTTP/3 + MASQUE.
Hybrid PQ + classical handshake
The handshake combines ML-KEM-1024 (FIPS 203) with X25519 via HKDF-SHA-256. Even if one of the two primitives is broken in the future, sessions remain secure. Protection against harvest-now-decrypt-later attacks.
- ML-KEM-1024: 256-bit PQ security
- X25519: 128-bit classical security as fallback
- HKDF-SHA-256 combiner for the derived pre-shared key
Customer-owned keys
The BCrypto VPN never handles customer keys. The sovereign KMS runs inside the organization's infrastructure. Full key-lifecycle audit, configurable rotation policy, ZK-attestation that keys never left the enclave.
- Optional HSM or TPM-bound key storage
- Configurable rotation (hourly → monthly)
- Signed audit log of every key operation
HTTP/3 + MASQUE transport
The datapath uses HTTP/3 with MASQUE (RFC 9298) for UDP proxying. Indistinguishable from ordinary web traffic, resistant to DPI and censorship. Latency-optimized: 1-RTT handshake with ML-KEM.
- QUIC native transport (no TCP fallback necessario)
- MASQUE-on-HTTP/3 for UDP encapsulation
- Connections resilient to network changes (multipath)