Post-Quantum Cryptography

ML-KEM-1024 FIPS 203

Hybrid post-quantum key exchange — X25519 + ML-KEM-1024 — bound under HKDF-SHA-256 with ciphertext binding. A third classical curve (X448) is already exchanged on the wire and is being folded into the session key as additional hardening. Library implementations (liboqs, BouncyCastle, @noble/post-quantum) cross-validated against shared test vectors.

NIST FIPS 203 ML-KEM-1024Hybrid PQCHardware-acceleratedImplicit Rejection

Hybrid Key Exchange

We combine two independent key encapsulation mechanisms — X25519 (classical elliptic) and ML-KEM-1024 (lattice, NIST Level 5) — bound together with HKDF-SHA-256 and a ciphertext-binding label that closes known substitution attacks. If either algorithm is ever broken — classical or quantum — the session secret stays safe. A third curve, X448, is already exchanged during the handshake and is being integrated as further hardening.

  • Two independent assumptions today: ECDLP + lattice (a third is in progress)
  • HKDF-SHA-256 with ciphertext binding
  • Forward-versioned protocol labels for clean migration

Side-channel hardened

ML-KEM uses FIPS 203 §8.3 implicit rejection: an invalid ciphertext produces a pseudo-random value rather than an error — no timing oracle. Tag comparison is constant-time. Memory holding key material is zeroized in two passes with a volatile fence so the compiler cannot elide the wipe.

  • Implicit rejection on decapsulation failure (FIPS 203 §8.3)
  • Constant-time authentication tag comparison
  • Compiler-resistant memory zeroization

Continuous key rotation

Session keys rotate continuously throughout a call. The symmetric chain key advances after a small number of frames, and ephemeral key material is re-derived sub-second. An adversary recovering a key from second N learns nothing about the traffic before N or after the next rotation. Contact trust today relies on Trust-On-First-Use pairing, with stronger multi-tier verification on our roadmap.

  • Sub-second forward-secrecy granularity
  • TOFU-based trust today — stronger multi-tier model on the roadmap
  • Replay protection with sliding sequence window

Architecture

Post-Quantum VPN Tunnel

ANTI-DEEPFAKE ALWAYS ACTIVE · ENCRYPTED AND UNENCRYPTED CALLS · ZERO DATA TRANSMITTED · SOVEREIGN OPERATIONS · POST-QUANTUM ML-KEM-1024 · 3 PATENTS FILED
ANTI-DEEPFAKE ALWAYS ACTIVE · ENCRYPTED AND UNENCRYPTED CALLS · ZERO DATA TRANSMITTED · SOVEREIGN OPERATIONS · POST-QUANTUM ML-KEM-1024 · 3 PATENTS FILED