{"id":"security-post-quantum-cryptography","slug":"security-post-quantum-cryptography","title":"Security: Post-Quantum Cryptography","description":"\"Harvest now, decrypt later\" is not a theoretical threat. Intelligence agencies and well-resourced adversaries are already collecting encrypted traffic today, betting on the arrival of cryptographically relevant quantum ","category":"management","tags":["management","real-time","compliance","blockchain"],"lastModified":"2026-03-25","source_ref":"content/modules/security-post-quantum-cryptography.md","url":"/developers/security-post-quantum-cryptography","htmlPath":"/developers/security-post-quantum-cryptography","jsonPath":"/api/docs/modules/security-post-quantum-cryptography","markdownPath":"/api/docs/modules/security-post-quantum-cryptography?format=markdown","checksum":"5e39e144d1239810a67ce5a237dbbb35789bbfd2d8ebb7236dcc19cbd350ee70","headings":[{"id":"overview","text":"Overview","level":2},{"id":"key-features","text":"Key Features","level":2},{"id":"use-cases","text":"Use Cases","level":2},{"id":"integration","text":"Integration","level":2}],"markdown":"# Security: Post-Quantum Cryptography\n\n## Overview\n\n\"Harvest now, decrypt later\" is not a theoretical threat. Intelligence agencies and well-resourced adversaries are already collecting encrypted traffic today, betting on the arrival of cryptographically relevant quantum computers within the next decade. For defence organisations, law enforcement agencies, and critical infrastructure operators, records that must remain confidential for ten or twenty years face a real risk if they are protected only by RSA or elliptic curve cryptography.\n\nArgus Post-Quantum Cryptography addresses this by applying quantum-resistant algorithm primitives to the platform's encryption, signing, and key-establishment workflows. The capability covers long-lived evidence records, inter-organisational data exchange, and the establishment of persistent real-time sessions, not just static exports. Organisations that need a credible cryptographic posture for high-assurance deployments can apply these controls selectively or uniformly across their operational environment.\n\n```mermaid\ngraph LR\n    A[Evidence Record / Signed Order / Audit Artefact] --> B[PQC Signing Module]\n    B --> C{Algorithm Selection}\n    C -- ML-DSA / CRYSTALS-Dilithium --> D[Quantum-Resistant Signature]\n    C -- ML-KEM / CRYSTALS-Kyber --> E[Quantum-Resistant Key Encapsulation]\n    D --> F[Long-Term Integrity Store]\n    E --> G[Session Key Material]\n    G --> H[Hardened WebSocket / Real-Time Channel]\n    F --> I[Verifier: Partner Org / Auditor]\n    J[Clearance and Governance Controls] -.->|access policy| B\n    K[Audit Logger] -.->|operation record| B\n```\n\n## Key Features\n\n- **Quantum-Resistant Algorithm Suite**: Apply modern quantum-resistant cryptographic primitives to encryption, signing, and key-establishment workflows. Supported algorithms follow the NIST PQC standardisation process, including ML-DSA (CRYSTALS-Dilithium) for signing and ML-KEM (CRYSTALS-Kyber) for key encapsulation.\n- **Long-Lived Integrity Protection**: Protect evidence, orders, audit artefacts, and high-value records that must remain trustworthy for years against future cryptanalytic capability.\n- **Secure Exchange Workflows**: Support partner and inter-organisational data sharing with stronger cryptographic assurance, including signing STIX bundles before diode transfer.\n- **Protected Session Establishment**: Use quantum-resistant key encapsulation mechanisms to harden the establishment of long-lived secure sessions.\n- **Real-Time Transport Hardening**: Extend stronger cryptographic posture to persistent real-time channels such as operations WebSocket connections, rather than limiting protection to static exports.\n- **Clearance and Governance Controls**: Apply administrative and access controls to cryptographic material and related operational use, aligned with the platform's secrecy-level model.\n- **Operational Auditability**: Preserve the evidence needed to show when quantum-resistant controls were used and how they were applied, for compliance and trust assurance purposes.\n\n## Use Cases\n\n- **Long-Term Evidence Integrity**: Protect digital evidence and formal records that must remain verifiable for extended retention periods against future decryption capability.\n- **Secure Partner Exchange**: Share sensitive operational data across organisational boundaries with stronger future-facing cryptographic assurance, particularly for cross-domain Eurydice diode transfers.\n- **Protected Real-Time Operations**: Harden persistent communication channels used during live missions, incidents, or command operations where session interception is a concern.\n- **High-Assurance Deployments**: Support environments where cryptographic posture is part of the broader trust model for the deployment, such as national-level command infrastructure or critical national infrastructure protection.\n\n## Integration\n\n- Secure messaging, sharing, and evidence workflows\n- Operations WebSocket and real-time session services\n- Identity, secrets, and audit-management systems\n- Export, signing, and cross-organisation exchange controls\n- Eurydice cross-domain diode transfers (bundle signing before transmission)\n\n**Last Reviewed:** 2026-03-25\n**Last Updated:** 2026-04-14\n"}