build 2.4.5 · keyex ml-kem-768 · fips 203/204 STH —

PARAMANT

Ghost Pipe — Industrial OT Brief

ML-KEM-768 IEC 62443 Burn-on-read Self-hosted ARM64

The problem with OT/IT data transfer is architectural, not operational.

OT networks cannot connect directly to cloud systems. VPNs create persistent attack surfaces. Legacy protocols (FTP, SMB, OPC-DA) are not quantum-safe. Sensor data in transit is being collected now for future decryption — the Harvest Now, Decrypt Later (HNDL) threat. Ghost Pipe is a quantum-safe data conduit designed for the IEC 62443 zone boundary.

Solution

What Ghost Pipe is

A RAM-only relay for the DMZ zone boundary. No VPN. No network reconfiguration. No persistent storage. Sensor data enters encrypted, burns after delivery. The relay is a conduit, not a server.

Deployable on a Raspberry Pi 3B+ at the field level, or in your existing DMZ on any Linux server.

What it is not

Not a SCADA historian. Not a VPN replacement for general traffic. Not a cloud service you depend on — the relay runs in your own infrastructure, under your own keys, and operates without external connectivity if needed.

Key Properties

ML-KEM-768 (NIST FIPS 203) — post-quantum key exchange, immune to harvest-now-decrypt-later
ML-DSA-65 (NIST FIPS 204) — post-quantum device signatures on every transfer
RAM-only relay — zero persistent storage, nothing to breach, nothing to image in a forensic incident
IEC 62443 SR 4.1, 4.2, 3.1, 2.8, 5.2 — compliance documentation included and maintained
ARM64 native — runs on Raspberry Pi 3B+ at the field level (512 MB RAM minimum)
Self-hosted relay in your DMZ — no external dependency, no SaaS relationship required
EU/DE jurisdiction — Hetzner Falkenstein, no US CLOUD Act exposure on managed relay
Fully open source — BUSL-1.1, audit every line at github.com/Apolloccrypt/paramant-relay
CT audit log — Merkle-based tamper-evident log, every transfer cryptographically provable

PARAMANT / OT

Architecture & Deployment

Purdue Model Ghost Pipe v2 April 2026

Purdue Model Placement

Level 4 Enterprise IT ← Cloud SCADA / historian / ERP Level 3 Operations IT ← paramant-receiver (Linux daemon or Python) ───────────────────────────────────────────────────────────────── Level 3.5 DMZ (conduit) ← Ghost Pipe relay (self-hosted, your server) ───────────────────────────────────────────────────────────────── Level 2 Control ← paramant-sender (PLC gateway / HMI) Level 1 Field devices PLC / DCS / sensor output → gateway Level 0 Physical process

Data Flow

PLC output → paramant-sender (Level 2) → [ML-KEM-768 encrypt client-side] → Ghost Pipe relay (DMZ) — stores ciphertext in RAM only, TTL 10 min default → [burn-on-read] → paramant-receiver (Level 3) → [client-side decrypt] → SCADA historian / cloud

The relay holds only ciphertext, only in RAM, only until delivered. It has no knowledge of sensor values, device identifiers, or process state. A full relay compromise yields zero plaintext.

Relay Properties

Receives only ciphertext — never sees plaintext sensor values
RAM-only store — wiped after delivery or TTL expiry
ML-DSA-65 signed Signed Tree Head after every Merkle update
Inclusion proof per transfer — tamper-detectable by any party
Device identity registry — /v2/did/register

WebSocket streaming — low-latency for continuous sensor data
NATS.io integration — optional push transport
Per-device API keys — revocation supported
Air-gap capable — no upstream internet required in self-hosted mode
Docker Compose — single docker compose up

Integration Examples

Continuous sensor mode

paramant-sender \
  --interval 15 \
  --device-id plc-line-01 \
  --key pgp_xxx \
  sensor-output.json

Sends one encrypted packet every 15 seconds. Each burns after the receiver reads it. Interval and TTL configurable.

Firmware distribution

paramant-firmware \
  --sign firmware-v2.1.bin \
  --device-group factory-01 \
  --key pgp_xxx \
  --ttl 86400

Signs the firmware binary with ML-DSA-65, distributes to device group. Each device downloads once and the package burns.

Edge Deployment (Raspberry Pi)

curl -fsSL https://paramant.app/install-pi.sh | bash
# → Installs relay on ARM64, configures systemd service, generates relay identity

Minimum hardware: Raspberry Pi 3B+ · 512 MB RAM · 4 GB SD · Ethernet. No display required. Connects to your DMZ network segment.

PARAMANT / OT

IEC 62443 Compliance Matrix

IEC 62443-3-3 SL-T 2 default SL-T 3 self-hosted

The table below maps IEC 62443-3-3 System Security Requirements to Ghost Pipe protocol properties. Documentation available at paramant.app/compliance/iec62443.

Requirement	Title	Ghost Pipe implementation	SL-T
SR 4.1	Information confidentiality	ML-KEM-768 client-side encryption. Relay never holds plaintext. Fixed-padding blobs — traffic analysis blind, SCADA message sizes not leaked.	2–3
SR 4.2	Use control	API key per device (`pgp_` end-user, `plk_` operator). Device identity registration via `/v2/did/register`. Key revocation supported. Per-key audit trail.	2–3
SR 3.1	Communication integrity	ML-DSA-65 (NIST FIPS 204) Signed Tree Head after every Merkle root update. Inclusion proof per transfer — tamper detectable by any party, including independent auditors.	2–3
SR 2.8	Auditable events	Public Certificate Transparency log at paramant.app/ct. Append-only, tamper-evident, publicly verifiable. Export to SIEM supported (JSON + CSV). Every transfer hash logged.	2–3
SR 5.2	Zone boundary protection	Self-hosted relay deployed in DMZ. No persistent data crosses zone boundaries. No direct L2↔L3 connection required. Relay operates without external internet in air-gap mode.	2–3
SR 1.1	Human user identification	Device enrollment via `POST /v2/did/register` with ECDH public key. DID (Decentralized Identifier) per device. Key rotation and revocation supported.	2
SR 1.2	Software process identity	Device identity bound to ML-DSA-65 public key. Every transfer signed by the originating device. Identity not forgeable by the relay.	2
SR 2.1	Authorisation enforcement	Per-key transfer quota and rate limiting. Plan-based access control (free / pro / enterprise). Relay rejects keys that exceed plan limits with HTTP 402/429.	2

Security Level Target

SL-T 2 — default managed relay configuration
SL-T 3 — self-hosted relay, air-gapped, no external internet
SL-T 3 requires: self-hosted relay + private sector + no external DNS dependency

Independent audit

RAPTOR security audit completed April 2026
All critical and high findings resolved
Full report available on request to qualified prospects
Source code: github.com/Apolloccrypt/paramant-relay

Note: Compliance documentation maps Ghost Pipe capabilities to IEC 62443 requirements. It is not a third-party certification. Customers seeking SL-T 3 certification should engage a certified IACS assessment body (e.g., TÜV, DNV) for formal verification.

PARAMANT / OT

Deployment & Pricing

Hetzner DE Docker BUSL-1.1

Performance Reference

Payload	Relay (EU/DE managed)	Self-hosted LAN	Notes
4 KB sensor packet	p50: ~80ms · p95: ~180ms	<10ms typical	Includes TLS + ML-KEM encapsulation
64 KB config blob	p50: ~140ms · p95: ~320ms	<20ms typical	Single chunk, base64 encoded
1 MB firmware chunk	p50: ~900ms · p95: ~2.1s	<80ms typical	5 MB max on free tier
5 MB max blob	p50: ~4.2s · p95: ~9s	<400ms typical	RAM limit per relay: 512 MB

Benchmarks: EU sender/receiver pair, Hetzner Falkenstein relay, 100 Mbps uplink. Self-hosted LAN: 1 Gbps local network. Run paramant-benchmark.py to validate in your environment.

Deployment Options

Managed relay

iot.paramant.app — Hetzner DE. Free evaluation: 1000 transfers / 30 days, no daily cap. Pro and Enterprise keys available.

No infrastructure required. Start evaluating in minutes.

Self-hosted (Linux)

docker compose up -d
# or
curl -fsSL paramant.app/install.sh | bash

Any Linux server. systemd unit included. Reverse proxy config for nginx/Caddy provided.

Edge (Raspberry Pi)

curl -fsSL \
  paramant.app/install-pi.sh \
  | bash

ARM64 native. 512 MB RAM min. Runs headless. Ideal for field-level DMZ segment.

Pricing

Evaluation

Free

Managed relay, no CC

1000 transfers / 30 days
No daily cap
5 MB per transfer
1 OT device

Pro

€12_/mo

Managed, unlimited

Unlimited transfers
50 MB per transfer
5 OT devices
WebSocket streaming

Enterprise

Custom

Dedicated or on-premise

Dedicated relay
Custom SLA / DPA
Unlimited devices
IEC 62443 compliance docs
On-premise / air-gap

Community self-hosted: BUSL-1.1 free forever, up to 5 users. Your server, your jurisdiction, your keys. No license required for evaluation.