Post-Quantum Cryptography Algorithms
QBITEL Bridge implements NIST-standardized post-quantum cryptographic algorithms to protect data against both classical and quantum computing threats.
Why Post-Quantum Cryptography?
Current public-key cryptography (RSA, ECC) will be broken by sufficiently powerful quantum computers running Shor's algorithm. QBITEL Bridge uses NIST-standardized PQC algorithms to provide quantum-safe security today, protecting against "harvest now, decrypt later" attacks.
Supported Algorithms
ML-KEM (Kyber) -- Key Encapsulation
| Standard | FIPS 203 |
| Type | Key Encapsulation Mechanism (KEM) |
| Security Level | ML-KEM-768 (Level 3), ML-KEM-1024 (Level 5) |
| Use Case | TLS key exchange, session key establishment |
| Public Key Size | 1,568 bytes (ML-KEM-1024) |
| Ciphertext Size | 1,568 bytes (ML-KEM-1024) |
| Basis | Module Learning With Errors (MLWE) lattice problem |
ML-DSA (Dilithium) -- Digital Signatures
| Standard | FIPS 204 |
| Type | Digital Signature Algorithm (DSA) |
| Security Level | ML-DSA-65 (Level 3), ML-DSA-87 (Level 5) |
| Use Case | Certificate signing, code signing, audit logs |
| Public Key Size | 2,592 bytes (ML-DSA-87) |
| Signature Size | 4,627 bytes (ML-DSA-87) |
| Basis | Module Learning With Errors (MLWE) lattice problem |
Falcon -- Compact Signatures
| Type | Digital Signature Algorithm |
| Security Level | Falcon-512 (Level 1), Falcon-1024 (Level 5) |
| Use Case | Bandwidth-constrained environments, IoT certificates |
| Signature Size | 1,280 bytes (Falcon-1024) -- smallest PQC signature |
| Basis | NTRU lattice problem with fast Fourier sampling |
SLH-DSA (SPHINCS+) -- Hash-Based Signatures
| Standard | FIPS 205 |
| Type | Hash-based Stateless Signature |
| Security Level | SLH-DSA-SHA2-256f (Level 5) |
| Use Case | Long-term archival signatures, high-assurance signing |
| Advantage | Security relies only on hash function properties -- most conservative assumption |
| Basis | Hash function security (SHA-256, SHAKE-256) |
Implementation Details
QBITEL Bridge implements PQC at two layers:
- Rust Data Plane (
crates/pqc_tls/) -- PQC-TLS termination using liboqs FFI bindings - Python AI Engine (
ai_engine/crypto/pqc_unified.py) -- application-layer PQC for data encryption and signing
Symmetric Encryption
PQC key exchange establishes symmetric keys for data encryption using:
- AES-256-GCM -- authenticated encryption for data at rest and in transit
- ChaCha20-Poly1305 -- alternative authenticated cipher for resource-constrained devices
Performance Benchmarks
| Operation | Algorithm | Latency |
| Key generation | ML-KEM-1024 | < 0.1 ms |
| Encapsulation | ML-KEM-1024 | < 0.2 ms |
| Signing | ML-DSA-87 | < 0.5 ms |
| Verification | ML-DSA-87 | < 0.3 ms |
| Full TLS handshake | ML-KEM + ML-DSA | < 1 ms |
Next Steps
- Rust Data Plane -- PQC-TLS implementation details
- Zero-Trust Architecture -- PQC in the trust model
- Compliance Frameworks -- PQC regulatory requirements