ML-KEM-1024 FIPS 203
Triple-hybrid construction — X25519 + X448 + ML-KEM-1024 — bound under HKDF-SHA-256. Stronger than today's industry dual-hybrid. Library implementations (liboqs, BouncyCastle, @noble/post-quantum) cross-validated against shared KAT vectors.
Triple-Hybrid KDF
We combine three independent key encapsulation mechanisms — X25519 (classical elliptic), X448 (conservative elliptic), ML-KEM-1024 (lattice, NIST Level 5) — bound together with HKDF-SHA-256 and a ciphertext-binding label. The industry standard today is dual-hybrid (one elliptic + ML-KEM-768). Going triple-hybrid at Level 5 means: if any single algorithm is broken — classical or quantum — the session secret remains safe.
- Three independent assumptions: ECDLP × 2 + lattice
- HKDF-SHA-256 with ciphertext binding
- Forward-versioned protocol labels for clean migration
Side-channel hardened
ML-KEM uses FIPS 203 §8.3 implicit rejection: an invalid ciphertext produces a pseudo-random value rather than an error — no timing oracle. Tag comparison is constant-time. Memory holding key material is zeroized in two passes with a volatile fence so the compiler cannot elide the wipe.
- Implicit rejection on decapsulation failure (FIPS 203 §8.3)
- Constant-time authentication tag comparison
- Compiler-resistant memory zeroization
Continuous key rotation
Session keys rotate continuously throughout a call. The symmetric chain key advances after a small number of frames, ephemeral key material is re-derived sub-second, and the root ratchet steps every few minutes. An adversary recovering a key from second N learns nothing about the traffic before N or after the next rotation. Combined with the 3-factor trust model (TOFU + INTRODUCED + VERIFIED), the protocol degrades gracefully even against partial compromise.
- Sub-second forward-secrecy granularity
- 3-factor trust model: TOFU + INTRODUCED + VERIFIED
- Replay protection with sliding sequence window
Architecture
Post-Quantum VPN Tunnel
Post-quantum VPN
A tunnel that quantum computers cannot break.
ML-KEM-1024 + ML-DSA-87 · NIST FIPS 203/204
Endpoint A
Sovereign Silicon
Endpoint B
Sovereign Silicon
Hybrid PQC handshake
Protects today's traffic against tomorrow's quantum computers.
Harvest-now, decrypt-later — neutralized
Captured ciphertext stays opaque even after Q-Day.
Sovereign endpoints
No backdoors, no trusted third party in the path.
The tunnel is terminated only by sovereign silicon at both ends. Keys are negotiated with NIST-standardized post-quantum primitives and bound to hardware identities — nothing in the middle can read it, today or after Q-Day.