Security architecture

Crypto agility —
swap algorithms without rebuilding

The history of cryptography is a history of algorithms being broken. DES, MD5, SHA-1, RSA-512, RSA-1024 — all considered safe, all eventually deprecated. Crypto-agile systems survive algorithm breaks. Monolithic systems don't.

PARAMANT's hybrid approach gives you crypto agility by design: ML-KEM-768 + ECDH P-256 in parallel. If either algorithm is compromised, the other protects you. When the next NIST standard arrives, swapping one primitive doesn't break the system.

The algorithm landscape today

Which algorithms are safe now, and which have a known expiry date.

Algorithm Type Classical status Quantum status PARAMANT uses
ML-KEM-768 KEM (FIPS 203) Safe Safe — lattice-based ✓ primary KEM
ECDH P-256 Key exchange Safe Broken by Shor's algorithm ✓ hybrid (belt-and-suspenders)
AES-256-GCM Symmetric cipher Safe Safe — Grover halves key space, 256-bit survives ✓ symmetric encryption
ML-DSA-65 Signature (FIPS 204) Safe Safe — lattice-based ✓ relay attestation
ECDSA P-256 Signature Safe Broken by Shor's algorithm ✓ hybrid fallback only
RSA-2048/4096 KEM / signature Safe Broken by Shor's algorithm ✗ not used
SHA-256 / SHA-3 Hash Safe Safe — Grover provides no practical speedup at 256-bit ✓ CT log, HMAC

Three operating modes

Configure per relay or per sender — no code changes required.

Default — recommended

Hybrid PQC

ML-KEM-768 + ECDH P-256 combined. Both must be broken to expose plaintext. RELAY_MODE=ghost_pipe

Transition mode

Classical + PQC layer

Adds ML-KEM on top of existing TLS/SSH infrastructure without replacing it. Use during phased migration — interoperable with legacy systems.

Future — post-migration

Pure PQC

ML-KEM-768 only, classical layer dropped. Deploy once all endpoints have completed migration. Maximum efficiency, minimal attack surface.

How algorithm swapping works in practice

PARAMANT is designed to survive the next algorithm deprecation.

Step 1

NIST publishes new standard

E.g., ML-KEM-1024 replaces ML-KEM-768 due to new cryptanalysis.

Step 2

Relay update

One environment variable change. No schema migrations, no key regeneration required. The wire format has a version byte for exactly this purpose.

Step 3

Hybrid period

Old and new clients coexist during transition. Relay negotiates version. Zero-downtime migration — no coordinated cutover needed.

Step 4

Old algorithm retired

After all clients have updated, the old primitive is removed from the allowed set. No data was ever at risk — hybrid protected the transition window.

Wire format — versioned by design

Every encrypted blob carries a version byte. No flag days.

PQHB VER u32be(ctKemLen) ctKem u32be(senderPubLen) senderPub nonce(12) u32be(ctLen) ct + 5MB padding
│     │    │                                              │              │
│     │    └─ ML-KEM-768 ciphertext                       └─ AES-256-GCM │
│     └─ version byte (0x02 = current)                                   │
└─ magic bytes                                          5MB fixed padding ┘
                                                        (DPI size masking)

The VER byte allows the relay and SDK to support multiple wire formats simultaneously. Incrementing the version enables algorithm migration without breaking in-flight blobs. GCM AAD binds [VER, chunk_index] to the ciphertext — version byte is integrity-protected.

Start with hybrid PQC today

Deploy a self-hosted relay in minutes. It runs ML-KEM-768 + ECDH P-256 hybrid by default — no configuration required. Community Edition is free for up to 5 API keys.

Get a free API key Technical docs