📄 Printer-Friendly Version
Use your browser's Print function (Ctrl+P / Cmd+P) to save as PDF
1. Executive Summary
This document defines the cryptographic key lifecycle management policy for all products in the PQC ecosystem. It establishes mandatory procedures for key generation, storage, usage, rotation, revocation, and destruction to ensure quantum-safe cryptographic operations.
Scope: All PQC products including blockchain, wallets, browsers, certificate authority, chat, and e-signature services.
2. Key Types and Algorithms
2.1 Post-Quantum Algorithms (NIST Standardized)
| Algorithm |
Purpose |
Security Level |
Products |
| ML-DSA-44 |
Digital Signatures |
NIST Level 2 (128-bit) |
All products |
| ML-DSA-65 |
Digital Signatures |
NIST Level 3 (192-bit) |
CA, E-Signature, Extension |
| ML-DSA-87 |
Digital Signatures |
NIST Level 5 (256-bit) |
CA (Enterprise) |
| ML-KEM-768 |
Key Encapsulation |
NIST Level 3 (192-bit) |
Chat, Extension |
⚠️ Policy: Legacy algorithms (ECDSA) MUST only be used in hybrid mode alongside PQC algorithms. Pure classical crypto is prohibited for new implementations.
3. Key Generation
3.1 Entropy Requirements
- Minimum entropy: 256 bits from FIPS 140-2 validated RNG
- Entropy sources:
/dev/urandom (Linux/macOS)BCryptGenRandom (Windows)- Hardware RNG where available (Intel RDRAND, TPM)
3.2 Generation Libraries
| Platform |
Library |
Version |
| Browser/Extension |
@noble/post-quantum |
0.2+ |
| Mobile (iOS) |
Native Swift + liboqs |
FIPS validated |
| Mobile (Android) |
BouncyCastle + native JNI |
1.70+ |
| Backend |
OpenSSL 3.0+ with OQS Provider |
3.0+ |
| Blockchain |
BouncyCastle (Dilithium) |
1.78+ |
4. Key Storage
4.1 Storage by Product Type
Certificate Authority (Root Keys):
- HSM (FIPS 140-2 Level 3)
- Offline storage (air-gapped)
- Multi-signature access control (M-of-N)
- Annual audit required
Mobile Wallets:
- iOS: Keychain (encrypted with Secure Enclave)
- Android: Keystore (backed by TEE/StrongBox)
- Backup: 24-word mnemonic phrase (offline storage)
4.2 Encryption at Rest
| Requirement |
Standard |
| Encryption Algorithm |
AES-256-GCM or ChaCha20-Poly1305 |
| Key Derivation |
Argon2id (password-based) or hardware-backed KEK |
| Policy |
No plaintext storage - violations are security incidents |
5. Key Rotation
| Key Type |
Rotation Frequency |
Automated |
| CA Root Key |
5 years |
No (manual ceremony) |
| CA Intermediate Key |
1 year |
Yes |
| Server TLS Keys |
90 days |
Yes (Let's Encrypt) |
| User Wallet Keys |
Never (unless compromised) |
No |
| Chat Session Keys |
Per-session |
Yes |
6. Key Revocation
6.1 Revocation Mechanisms
| Product |
Mechanism |
Update Frequency |
| Certificate Authority |
OCSP + CRL |
OCSP: Real-time, CRL: 24h |
| Blockchain |
On-chain revocation registry |
Per-block (~12s) |
| Chat |
Server-side key blacklist |
Real-time |
| Wallets |
User-initiated only |
N/A |
7. Compliance and Audit
7.1 Frameworks
- ✅ NIST SP 800-57 (Key Management)
- ✅ NIST FIPS 204 (ML-DSA)
- ✅ NIST FIPS 203 (ML-KEM)
- ✅ ISO 27001 (ISMS)
- ⏳ SOC 2 Type II (Planned 2026)
7.2 Audit Schedule
| Audit Type |
Frequency |
Responsible |
| Internal Audit |
Quarterly |
Security Team |
| External Audit |
Annual |
Third-party security firm |
| Policy Review |
Annual |
CTO + CISO |