3. Technical Implementation

3.1 Post-Quantum Algorithms

Dilithium3 (Digital Signatures)

Specification: NIST FIPS 204 (ML-DSA-65)

Parameters:

• Public key: 1,952 bytes

• Private key: 4,000 bytes

• Signature: 3,293 bytes

• Security level: NIST Level 3 (comparable to AES-192)

Performance (Apple M1, single-core):

• Key generation: ~1.2ms

• Signing: ~2.5ms

• Verification: ~1.0ms

Use Cases:

• Document signing

• Certificate authorities

• Code signing

• Blockchain transaction signing

Kyber768 (Key Encapsulation)

Specification: NIST FIPS 203 (ML-KEM-768)

Parameters:

• Public key: 1,184 bytes

• Private key: 2,400 bytes

• Ciphertext: 1,088 bytes

• Shared secret: 32 bytes

• Security level: NIST Level 3

Performance (Apple M1, single-core):

• Key generation: ~0.8ms

• Encapsulation: ~1.0ms

• Decapsulation: ~1.2ms

Use Cases:

• TLS 1.3 post-quantum handshakes

• Secure messaging

• Encrypted storage

• VPN key exchange

3.2 API Design

Authentication

Multi-modal authentication supports diverse use cases:

1. JWT (OAuth 2.0 / OIDC)

   • Enterprise integration

   • Web applications

   • Mobile apps

2. Chain Signature (Web3)

   • Ethereum (ECDSA)

   • Cosmos (Secp256k1)

   • Solana (Ed25519)

3. Development Mode

   • Owner header for testing

   • Disabled in production

Endpoints

Key Generation:

POST /api/v1/keys/{algorithm}/generate
Authorization: Bearer <jwt> or Signature <chain-sig>
Content-Type: application/json

{
  "purpose": "document-signing",
  "mode": "session",      // session, derived, time-limited, cloudhsm
  "ttl": "3600"           // seconds (for time-limited mode)
}

Response:
{
  "key_id": "key_a7b8c9d0...",
  "public_key": "base64-encoded-public-key",
  "algorithm": "dilithium3",
  "mode": "session",
  "created_at": "2026-01-07T12:00:00Z",
  "expires_at": "2026-01-07T13:00:00Z"
}

Digital Signing:

POST /api/v1/keys/{key_id}/sign
Authorization: Bearer <jwt>
Content-Type: application/json

{
  "message": "base64-encoded-message"
}

Response:
{
  "signature": "base64-encoded-signature",
  "algorithm": "dilithium3",
  "key_id": "key_a7b8c9d0...",
  "timestamp": "2026-01-07T12:01:00Z"
}

Key Encapsulation:

POST /api/v1/keys/{key_id}/encapsulate
Authorization: Bearer <jwt>

Response:
{
  "ciphertext": "base64-encoded-ciphertext",
  "shared_secret": "base64-encoded-32-byte-secret"
}

Full API docs coming - This is a high-level whitepaper.

3.3 Key Management Modes

Mode 1: Session Keys (Default)

Design Philosophy: Keys that never touch persistent storage

// Keys stored in memory only
type SessionKey struct {
    PrivateKey []byte
    PublicKey  []byte
    CreatedAt  time.Time
    ExpiresAt  time.Time // Auto-expire after 1 hour
}

// Automatic cleanup on expiration
func CleanupExpiredKeys() {
    for _, key := range sessions {
        if time.Now().After(key.ExpiresAt) {
            // Zero memory before deletion
            for i := range key.PrivateKey {
                key.PrivateKey[i] = 0
            }
            delete(sessions, key.ID)
        }
    }
}

Benefits:

• ✅ Zero persistence risk

• ✅ Automatic expiration

• ✅ Memory zeroed on cleanup

• ✅ Perfect for short-lived operations

Use Cases:

• Real-time signing

• API authentication

• Temporary credentials

• Development/testing

Mode 2: Derived Keys

Design Philosophy: Deterministic key generation from master seed

// Never store keys - derive on demand
func DeriveKey(masterSeed, keyID, userID []byte) []byte {
    // HKDF: Deterministic key derivation
    ikm := append(masterSeed, keyID...)
    ikm = append(ikm, userID...)
    
    // Same inputs = same key (reproducible)
    return hkdf.Expand(ikm, 32, "dilithium3-private-key")
}

Benefits:

• ✅ Stateless (no storage needed)

• ✅ Reproducible keys

• ✅ Master seed rotation possible

• ✅ Scales infinitely

Use Cases:

• Deterministic wallets

• Backup-less key recovery

• Multi-device sync

Mode 3: Time-Limited Keys

Design Philosophy: Persistent keys with automatic expiration

type TimeLimitedKey struct {
    KeyID      string
    PrivateKey []byte
    ExpiresAt  time.Time
    TTL        time.Duration // e.g., 30 days
}

// Auto-delete after TTL
time.AfterFunc(key.TTL, func() {
    SecureDelete(key.KeyID)
})

Benefits:

• ✅ Survives restarts

• ✅ Automatic cleanup

• ✅ Configurable lifetime

• ✅ Best-effort secure deletion

Use Cases:

• Certificates

• Temporary access tokens

• Audit-required operations

Mode 4: CloudHSM Keys (Phase 2)

Design Philosophy: Hardware-isolated key storage with FIPS certification

Client Request
    ↓
Cryptic Service (TEE)
    ↓ PKCS#11 API
AWS CloudHSM Cluster
    ↓
Private key INSIDE HSM hardware
(Never exported to software)

Benefits:

• ✅ FIPS 140-2 Level 3 certified

• ✅ Physical tamper resistance

• ✅ Keys never in software

• ✅ Compliance requirements met

• ✅ True key deletion

Limitations:

• ⚠️ Cost: $1,152+/month for HA setup

• ⚠️ Latency: ~5-10ms per operation

• ⚠️ No PQC support yet (awaiting NIST FIPS modules)

Use Cases:

• Financial institutions

• Certificate authorities

• Government/defense

• Regulatory compliance (PCI-DSS, HIPAA)